• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Cross Frame Scripting issue

 
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Can you please help me how to resolve this issue.


We are trying to fix cross frame scripting issue by adding <% response.addHeader("X-Frame-Options", "SAMEORIGIN"); %> in jsp page, my project archituecture doesn't support single control servlet ,so added x-frame tag in each jsp.

but still this issue cross frame scripting occurs in application.


Vunerable url : http://usa0300uz1178.apps.mc.xerox.com:10503/SSCM/index.jsp


index.jsp



<jsp:useBean id="project" class="com.lpasystems.cmss.ProjectBean" scope="application" />
<jsp:setProperty name="project" property="top" value='<%="http://" + request.getServerName() + ":" + request.getServerPort() + "/CMSS" %>' />

<HTML>
<HEAD>
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<META HTTP-EQUIV="Content-Type" content="text/html; charset=UTF-8">

<TITLE>First File Loaded</TITLE>
<% response.addHeader("X-Frame-Options", "SAMEORIGIN"); %>

</HEAD>
<SCRIPT LANGUAGE="JavaScript">
var sHrefLocation = "http://usa0300uz1192.apps.mc.xerox.com:10500/xpicweb/home.html"

var bLaunchAppInSeparateWindow = true
var sNewWindowTitle = "CMSS"
var newAppWindow = null

function displayApp()
{
if (bLaunchAppInSeparateWindow)
{
self.location.href = sHrefLocation

newAppWindow = window.open(
"index2.jsp",
sNewWindowTitle,
"status,resizable,scrollbars,width=900,height=600");

if (typeof newAppWindow.focus != 'undefined')
{
newAppWindow.focus();
}
}
else
{
self.location.href = 'index2.jsp'
}
}
</SCRIPT>

<BODY bgcolor="white" onLoad="displayApp()">
<center><br><br><br>
<h3><i>Starting application....</i></h3><br><br>
<h5>
You may close this window once the application starts.<br>
To logout, simply close the main application window.<br>
</h4>
</center>
</BODY>
<HEAD>
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
</HEAD>
</HTML>




Response:

HTTP/1.1 200 OK
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
ETag: W/"389-1376931758000"
Last-Modified: Mon, 19 Aug 2013 17:02:38 GMT
Content-Type: text/html
Content-Length: 389
Date: Tue, 20 Aug 2013 17:27:49 GMT
Server: Apache-Coyote/1.1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/REC-html40/strict.dtd">
<html>
<head>
<title></title>
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<META HTTP-EQUIV="Content-Type" content="text/html; charset=UTF-8">
<META HTTP-EQUIV="X-FRAME-OPTIONS" CONTENT="SAMEORIGIN">
</head>
<body onload="location.href='jsp/index.jsp'">
</body>
</html>



is url http://usa0300uz1192.apps.mc.xerox.com:10500/xpicweb/home.html in index.jsp causing this issue ? if yes, how to add x-frame tag in this html file?


Please help me.

 
Greenhorn
Posts: 14
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Is the above code in the same JSP file? and you should write it in this order <html><head></head><body></body></html>

also your javascript is after </head> and before <body> . it should be between <head> and </head>

If it still dont work after that edit your post and i will take another look at it.
reply
    Bookmark Topic Watch Topic
  • New Topic