Rails meets Content Security Policy

Slide 1

Slide 1 text

Rails meets Content Security Policy 竹内雄一 Takeyu Web Inc.

Slide 2

Slide 2 text

@takeyuweb 2008年〜フリーランス 2016年法人成り Rails 1.1〜 Saitama.rb主宰

Slide 3

Slide 3 text

Takeyu Web Inc.

Slide 4

Slide 4 text

Rails 5.2 Content Security Policy config/initializers/ content_security_policy.rb Rails.application.config.content_security_policy do |policy| policy.default_src :self, :https policy.font_src :self, :https, :data policy.img_src :self, :https, :data policy.object_src :none policy.script_src :self, :https policy.style_src :self, :https # Specify URI for violation reports policy.report_uri "/csp-violation-report-endpoint" end

Slide 5

Slide 5 text

Rails 5.2 Content Security Policy Override policy inline class PostsController < ApplicationController content_security_policy do |p| p.upgrade_insecure_requests true end end

Slide 6

Slide 6 text

Rails 5.2 Content Security Policy https://speakerdeck.com/yyagi/ rails-5-dot-2-part1?slide=23 http://guides.rubyonrails.org/ security.html#content-security-policy

Slide 7

Slide 7 text

What’s CSP? IPA ISEC　セキュア・プログラミング講座より Content Security Policy は、スクリプトのロードと実行等に強い制約を設ける機能 https://www.ipa.go.jp/security/ awareness/vendor/programmingv2/ contents/705.html

Slide 8

Slide 8 text

HTTP Header GET /index.html Host: test.host HTTP/1.1 200 OK Content-Security-Policy: default-src 'self'

Slide 9

Slide 9 text

default-src ‘self’ alert("実行されない ");

Slide 10

Slide 10 text

script-src ‘https:’

Slide 11

Slide 11 text

script-src ‘self’ ‘unsafe- inline’ alert("実行される");

Slide 12

Slide 12 text

script-src ‘nonce- xxxxxxxxxxxxxx’ nonce: number used once alert("実行されない"); alert("実行される");

Slide 13

Slide 13 text

report-uri /csp-report ブロックしたとき、CSPレポートを送信する POST /csp-report { "csp-report": { "blocked-uri": "self", "document-uri": "http://localhost:3000/", "original-policy": "script-src ...", "referrer": "", "script-sample": "onclick attribute on A element", "source-file": "http://localhost:3000/", "violated-directive": "script-src" } }

Slide 14

Slide 14 text

Directives base-uri child-src connect-src default-src font-src form- action frame-ancestors frame- src img-src manifest-src media- src object-src script-src style- src worker-src

Slide 15

Slide 15 text

Content-Security-Policy- Report-Only Report Only Content-Security-Policy-Report-Only: default-src https: report-to https://test.host/csp-report

Slide 16

Slide 16 text

Supported browsers ブラウザー実装状況 Content Security Policy (CSP) - HTTP MDN

Slide 17

Slide 17 text

Rails integration config/initializers/ content_security_policy.rb Rails.application.config.content_security_policy do |policy| policy.default_src :self, :https policy.font_src :self, :https, :data policy.img_src :self, :https, :data policy.object_src :none policy.script_src :self, :https policy.style_src :self, :https # Specify URI for violation reports policy.report_uri "/csp-violation-report-endpoint" end

Slide 18

Slide 18 text

Rails integration Override policy inline class PostsController < ApplicationController content_security_policy do |p| p.upgrade_insecure_requests true end end

Slide 19

Slide 19 text

Rails integration <%= javascript_tag do %> alert('Without nonce'); <% end %> <%= javascript_tag nonce: true do %> alert('With nonce'); <% end %>

Slide 20

Slide 20 text

Supported directives actionpack/lib/action_dispatch/http/ content_security_policy.rb

Slide 21

Slide 21 text

Enjoy Secure Programing!