Can you please help me how to resolve this issue.
We are trying to fix cross frame scripting issue by adding <% response.addHeader("X-Frame-Options", "SAMEORIGIN"); %> in
jsp page, my project archituecture doesn't support single control
servlet ,so added x-frame tag in each jsp.
but still this issue cross frame scripting occurs in application.
Vunerable url :
http://usa0300uz1178.apps.mc.xerox.com:10503/SSCM/index.jsp
index.jsp
<jsp:useBean id="project" class="com.lpasystems.cmss.ProjectBean" scope="application" />
<jsp:setProperty name="project" property="top" value='<%="http://" + request.getServerName() + ":" + request.getServerPort() + "/CMSS" %>' />
<HTML>
<HEAD>
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<META HTTP-EQUIV="Content-Type" content="text/html; charset=UTF-8">
<TITLE>First File Loaded</TITLE>
<% response.addHeader("X-Frame-Options", "SAMEORIGIN"); %>
</HEAD>
<SCRIPT LANGUAGE="JavaScript">
var sHrefLocation =
"http://usa0300uz1192.apps.mc.xerox.com:10500/xpicweb/home.html"
var bLaunchAppInSeparateWindow = true
var sNewWindowTitle = "CMSS"
var newAppWindow = null
function displayApp()
{
if (bLaunchAppInSeparateWindow)
{
self.location.href = sHrefLocation
newAppWindow = window.open(
"index2.jsp",
sNewWindowTitle,
"status,resizable,scrollbars,width=900,height=600");
if (typeof newAppWindow.focus != 'undefined')
{
newAppWindow.focus();
}
}
else
{
self.location.href = 'index2.jsp'
}
}
</SCRIPT>
<BODY bgcolor="white" onLoad="displayApp()">
<center><br><br><br>
<h3><i>Starting application....</i></h3><br><br>
<h5>
You may close this window once the application starts.<br>
To logout, simply close the main application window.<br>
</h4>
</center>
</BODY>
<HEAD>
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
</HEAD>
</HTML>
Response:
HTTP/1.1 200 OK
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
ETag: W/"389-1376931758000"
Last-Modified: Mon, 19 Aug 2013 17:02:38 GMT
Content-Type: text/html
Content-Length: 389
Date: Tue, 20 Aug 2013 17:27:49 GMT
Server: Apache-Coyote/1.1
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/REC-html40/strict.dtd">
<html>
<head>
<title></title>
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<META HTTP-EQUIV="Content-Type" content="text/html; charset=UTF-8">
<META HTTP-EQUIV="X-FRAME-OPTIONS" CONTENT="SAMEORIGIN">
</head>
<body onload="location.href='jsp/index.jsp'">
</body>
</html>
is url
http://usa0300uz1192.apps.mc.xerox.com:10500/xpicweb/home.html in index.jsp causing this issue ? if yes, how to add x-frame tag in this html file?
Please help me.