SameSite Cookie

Transcript

1. SameSite Cookie Cybozu Frontend Expert Masashi Hirano @shisama

2. ฏ໺ ণ࢜ / Masashi Hirano @shisama_ shisama Node.js Core Collaborator

   ؔ੢NodeֶԂOrganizer

3. Agenda • CSRF • SameSite Cookie • Cookies default to

   SameSite=Lax

4. CSRF

5. ᶃ some-site.com ϩάΠϯ ᶄ Set-Cookie ᶅ ଞυϝΠϯ(CDN, Ad…) with ᶆ

   Request Response

6. ᶄ ✉ ᶅ evil.com Request Response ᶆ ߈ܸऀʹૹۚ͢ΔϑΥʔϜ ᶇ ෇͖ͰᶆΛPOST

   ᶉ <form id="pay" action="https://bank.com"> <input type="hidden" name="to" value="attacker" /> <input type="hidden" name="amount" value="10000000" /> </form> <script> pay.submit() </script> ᶃ bank.com΁͸
 ɹϩάΠϯࡁ bank.com ᶈ

7. CSRF (ΫϩεαΠτϦΫΤετϑΥʔδΣϦ) 1. ԿΒ͔ͷํ๏Ͱѱҙͷ͋ΔαΠτʹ༠ಋͤ͞Δ 2. ϩάΠϯࡁͷϢʔβʔʹѱҙͷ͋ΔϑΥʔϜΛPOSTͤ͞Δ 3. αʔόʔ͸Cookieʹ͋ΔϩάΠϯηογϣϯID͕Ұக͢ΔͷͰϦΫΤ ετΛड͚ೖΕΔ 4.

   ѱҙͷ͋ΔPOST͕ॲཧ͞Εͯ߈ܸऀͷૢ࡞͕੒ޭ͢Δ
 ※ࠓճͷྫͰ͸RefererͷνΣοΫͳͲSameSite cookieҎ֎ͷରࡦ͸͋Γ·͢ɻ

8. SameSite cookie

9. Cookie • ηογϣϯIDͳͲΛอ࣋͢ΔͨΊʹ࢖ΘΕΔ͜ͱ͕ଟ͍ • αʔόʔଆ͕Set-Cookieͱ͍͏ϨεϙϯεϔομʔΛ෇༩
 e.g. Set-Cookie: sid=dfj3oia4jfkl1ered4fafdarq path=/ •

   ϒϥ΢βଆͰSet-Cookieͷ௨ΓΫοΩʔΛੜ੒͢Δ ${key}=${value} Cookieଐੑ

10. CookieʹઃఆͰ͖Δଐੑ &YQJSFT ΫοΩʔͷ༗ޮظݶɻ೔࣌λΠϜελϯϓͰࢦఆ .BY"HF ΫοΩʔͷظݶ·Ͱͷඵ਺ɻ&YQJSFTΑΓ༏ઌ͞ΕΔ %PNBJO ΫοΩʔͷૹ৴ઌΛࢦఆ 1BUI ΫοΩʔΛཁٻ͢Δ63-Λࢦఆ 4FDVSF

    44-ͱ)5514Λ࢖ͬͨϦΫΤετͷͱ͖ͷΈΫοΩʔૹ৴ )UUQ0OMZ EPDVNFOUDPPLJF΍YIS͔ΒΞΫηεͰ͖ͳ͍ɻ944ͷܰݮʹ༗ޮ

11. SameSite Cookie • CookieʹઃఆͰ͖Δ৽͍͠ଐੑ • RFC͸·ͩυϥϑτ(RFC6265bis) • ΫϩεαΠτ΁ͷCookieͷૹ৴Λ੍ݶ͢Δ͜ͱ͕Ͱ͖Δ
 લड़ͷྫͩͱbank.comͷΫοΩʔΛevil.com͔Βૹ৴Ͱ͖ͳ͍Α͏ʹ੍ޚՄೳ •

    Set-Cookie: SID=1234567890abcdefg; Path=/; Domain=example.com; SameSite=Lax

12. SameSite=? • Strict:
 ɾଞͷυϝΠϯʹΫοΩʔΛૹΒͳ͍ • Lax:
 ɾΞυϨεόʔʹදࣔ͞Ε͍ͯΔURL͕มΘΔΑ͏ͳը໘ભҠɺ͔ͭGETͰ͋Ε͹ଞ ͷυϝΠϯͰ΋ΫοΩʔΛૹΔ
 ɾ<img>ɺ<iframe>ɺXHRͳͲʹΑΔଞͷυϝΠϯ΁ͷGETϦΫΤετ͸ΫοΩʔ ΛૹΒͳ͍

    • None: υϝΠϯʹؔ܎ͳ͘ΫοΩʔΛૹΔ

13. SameSite=Strict • ผͷαΠτ͔ΒϦϯΫͰભҠͨ͠৔߹Cookie͕ૹ৴͞Εͳ͍ • ϩάΠϯࡁͰ΋ผυϝΠϯͷαΠτ͔ΒભҠ͢Δͱ΋͏Ұ౓ϩά Πϯ͢Δඞཁ͕͋Δ ᶄ ᶅ ϝʔϧ͔ΒSite A΁ͷϦϯΫΛΫϦοΫ

    Site A ᶆ ᶃ ϩάΠϯ ❌

14. SameSite=Lax • ผαΠτ͔ΒͷભҠͰ΋ϩάΠϯঢ়ଶ͸ҡ࣋Ͱ͖Δ • POSTͰ͸ΫοΩʔ͸ૹΒΕͳ͍ͨΊલड़ͷCSRFͷରࡦʹͳΔ ᶄ ᶅ ϝʔϧ͔ΒSite A΁ͷϦϯΫΛΫϦοΫ Site

    A ᶆ ᶃ ϩάΠϯ ̋

15. https://caniuse.com/#feat=same-site-cookie-attribute

16. Cookies default to SameSite=Lax

17. https://www.chromestatus.com/feature/5088147346030592

18. SameSite=Lax͕σϑΥϧτʹ • ݱࡏ͸SameSiteΛࢦఆ͍ͯ͠ͳ͍ͱNoneͱಉ͡ • Chrome 80͔ΒSameSiteͷࢦఆ͕ͳ͍৔߹ɺCookie͸Laxͱಉ ͡Α͏ʹѻ͏༧ఆ • SameSite=NoneΛࢦఆ͢Δͱࠓ·Ͱͱಉ͡

19. chrome://flags/#same-site-by-default-cookies #same-site-by-default-cookies ݱࡏͰ΋ϑϥάΛ༗ޮʹ͢Δ͜ͱͰ4BNF4JUF-BYΛσ ϑΥϧτʹ͢Δ͜ͱ͕Ͱ͖Δ

20. https://www.hatena.ne.jp/ SameSite=Lax by defaultʹΑΔӨڹ ϩάΠϯ͍ͯ͠Δঢ়ଶ

21. https://www.hatena.ne.jp/ ϩάΠϯ͞Ε͍ͯͳ͍ͱ൑அ͞Ε͍ͯΔ
    ˞࣮ࡍ͸ϩάΠϯ͍ͯ͠Δ

22. http://hatenablog.com/ αʔυύʔςΟ$PPLJF͕ແޮͷܯࠂ͕දࣔɻ ϩάΠϯ͞Ε͍ͯͳ͍ͱ൑அ͞Ε͍ͯΔ
    ˞࣮ࡍ͸ϩάΠϯ͍ͯ͠Δ

23. • ݱߦ௨Γͷڍಈʹ͢ΔͳΒSameSite=Noneʹ͢Δඞཁ͕͋Δ αʔϏε͕͋Δ • ޿ࠂͳͲ΋ಉ༷ʹ͏·͘ಈ࡞͠ͳ͘ͳΔՄೳੑ͕͋Δ SameSite=LaxʹΑΔӨڹ

24. https://www.chromestatus.com/feature/5633521622188032 4FDVSFଐੑͷແ͍4BNF4JUF/POFͰ͸ΫοΩʔ͸ૹ৴͞Εͳ͍

25. ※ͨ·ͨ·ݟ͚ͭͨͷ͕Α͘ར༻͢Δ͸ͯͳͷαʔϏε Ͱ͕ͨ͠ɺ͸ͯͳͷαʔϏεʹର͢Δ໰୊఺ͷࢦఠΛ͢ ΔҙਤͳͲ͸͍͟͝·ͤΜɻ ͍ͪϢʔβʔͱͯ͠͸ͯͳͷαʔϏε͸޷͖Ͱ͢ɻ

26. ·ͱΊ • SameSite cookie͸CSRFରࡦʹ༗ޮ • Chrome 80͔ΒSameSiteΛࢦఆ͍ͯ͠ͳ͍ͱLax૬౰ʹͳΔ • SameSite=Lax ରԠ͠ͳ͍ͱ͍͚ͳ͍͔΋…

27. https://2019.kfug.jp ϑϩϯτΤϯυΧϯϑΝϨϯεͰηΩϡϦςΟͷ࿩Λ͠·͢

28. Thanks. @shisama_ shisama