Adding the ClickJacking Protection Custom Tag
To add the custom tag, modify the web.xml and then the declaration section of the JSP. You can customize the script for the framed JSP.
Context
Include the ClickJacking Protection Custom tag in both framing and framed JSPs.
Procedure
- Add the mapping of the taglib to the
web.xml of the application.Sample Code
… <jsp-config> <taglib> <taglib-uri>preventClickJacking.tld</taglib-uri> <taglib-location> /WEB-INF/preventClickJacking.tld </taglib-location> </taglib> </jsp-config> …
- Add the taglib command to the declaration section of the
JSP.
Use the following syntax:
<%@ taglib prefix="<prefix>" uri="preventClickJacking.tld" %>
You are free to determine the prefix. The prefix is used later in the JSP to refer to the custom tag. For example:
<%@ taglib prefix="cjp" uri="preventClickJacking.tld" %>
- Call the custom tag in the head section of the generated HTML
in the JSP.
Use the following syntax:
<head> … <prefix:preventClickJacking/> … </head>
For example, if you chose to use cjp as the prefix, the result would be as follows:
<head> … <cjp:preventClickJacking/> … </head>
- Perform customization of the clickjacking protection custom tag.Note
You can define custom attributes for the protection script. Customization is only for the child JSP, that is, the JSP to be framed.
To perform customization, use the following syntax:
<<prefix>:preventClickJacking <attribute1>="custom_value1" <attribute2>="custom_value2" ... <attributeN>="custom_valueN"/>
For example, a call to the custom tag with a customized error message would be as follows:
<cjp:preventClickJacking deniedMessage="Framing of this page is forbidden for this domain!"/>
You can modify the following attributes:
-
styleId
-
styleBody
-
dataCheckDefault
-
deniedMessage
-
releaseTimeoutMessage
-
whiteList
-
protectionCallBack
NoteIf you set custom values for attributes, the clickjacking application XSS encodes all of them except for the styleBody attribute.
-