Nuxt.js におけるCSPの連携について / content security policy for Nuxt.js

Slide 1

Slide 1 text

Nuxt.js About CSP for Nuxt.js @sunecosuri Date: 2018-06-25 Vue Night in Fukuoka #1

Slide 2

Slide 2 text

@sunecosuri GMOϖύϘΤϯδχΞ

Slide 3

Slide 3 text

࿩͢͜ͱ CSP ʹ͍ͭͯ Nuxt.js Ͱͷઃఆํ๏ʹ͍ͭͯ

Slide 4

Slide 4 text

CSP CSP

Slide 5

Slide 5 text

Content Security Policy σ ʔ λ ͷ ৵ ೖ Λ ๷ ͙ ػ ߏ ΢ΣϒαΠτͰѻ͏ϦιʔεͷಡΈࠐΈΛࡉ͔͘؅ཧ͢Δ͜ͱ͕Ͱ͖ΔHTTP headerɻ W3CʹΑͬͯ΋ఆٛ͞Ε͓ͯΓɺXSSͱ͍ͬͨѱҙͷ͋Δ injection ߈ܸͷϦεΫΛܰݮ͢Δ͜ͱ͕Ͱ͖Δɻ  ࣮ߦΛڐՄ͢ΔϦιʔεΛϗϫΠτϦετํࣜͰઃఆ͠ɺؚ·Εͳ͍Ϧιʔε͸ϒϥ΢βͰ࣮ߦΛϒϩοΫ͢Δ͜ͱ ͕Ͱ͖Δɻ ͳ ʹ Λ ๷ ͙ ͷ ͔ ɾInline Scriptͷ࣮ߦ  ɾҙਤ͠ͳ͍ϦιʔεͷಡΈࠐΈ

Slide 6

Slide 6 text

Can I use ରԠϒϥ΢βঢ়گ W R I T E H E R E S O M E T H I N G A B O U T Entrepreneurial activities differ substantially depending on the type of organization and creativity. Entrepreneurial activities differ substantially depending on the type of organization and creativity. Entrepreneurial activities differ substantially depending on the type of organization and creativity. Entrepreneurial activities differ substantially.

Slide 7

Slide 7 text

※Defense-in-Depth Techniques for Modern Web Applications and Google’s Journey with CSP ΑΓҾ༻

Slide 8

Slide 8 text

࣮ߦͷछྨ W h i t e l i s t n o n c e ଐ ੑ H a s h ஋ script-src www.google-analytics.com script-src ‘nonce-t3cdm2’ script-src ‘sha256-3d8xj1psc/5kx92a…..’

Slide 9

Slide 9 text

Whitelist Whitelist e x a m p l e . t e s t C o n t e n t S e c u r i t y P o l i c y default-src ‘self’; scripit-src ‘self’ cdn.example.com; report-uri /csp-log;

ಉҰΦϦδϯͳͷͰOK srcipt-src σΟϨΫςΟϒʹ  هࡌ͞ΕͯΔͷͰOK

Slide 10

Slide 10 text

e x a m p l e . t e s t C o n t e n t S e c u r i t y P o l i c y default-src ‘self’; scripit-src ‘self’ cdn.example.com; report-uri /csp-log;

ಉҰΦϦδϯͳͷͰOK srcipt-src σΟϨΫςΟϒʹ  هࡌ͞ΕͯΔͷͰOK “>’><script src=“//evil.test”> “>’<script>alert(‘attack’)</ script> ϗϫΠτϦετʹͳ͍ͷͰNG Inline script ͸ڐՄ͍ͯ͠ͳ͍ͷͰNG Whitelist Whitelist

Slide 11

Slide 11 text

e x a m p l e . t e s t C o n t e n t S e c u r i t y P o l i c y default-src ‘self’; scripit-src ‘self’ cdn.example.com; report-uri /csp-log;

ಉҰΦϦδϯͳͷͰOK srcipt-src σΟϨΫςΟϒʹ  هࡌ͞ΕͯΔͷͰOK “>’><script src=“//evil.test”> “>’<script>alert(‘attack’)</ script> P O S T h t t p : // e x a m p l e . t e s t / c s p - l o g json ͷܗࣜͰPOST͞ΕΔ Whitelist Whitelist

Slide 12

Slide 12 text

  alert(‘execute’)    alert(‘not execute’)  nonceͰڐՄ͢Δ C o n t e n t S e c u r i t y P o l i c y default-src ‘self’; scripit-src 'nonce-EDNnf03' report-uri /csp-log; srcipt-src σΟϨΫςΟϒͰࢦఆ͞Εͨ nonce-* ͷ஋͕Ұக͢Δ΋ͷͷΈ࣮ߦ͢Δ

Slide 13

Slide 13 text

  alert(‘execute’)    alert(‘not execute’)  C o n t e n t S e c u r i t y P o l i c y default-src ‘self’; scripit-src 'sha256- qznLcsROx4GACP2dm0UCKCzCG- HiZ1guq6ZZDob_Tng=' report-uri /csp-log; Hash஋ͰڐՄ͢Δ ࣮ߦ͢ΔscriptϒϩοΫΛ೚ҙͷΞϧΰϦζϜͰΤϯίʔυͯ͠Ұக͍ͯ͠Δ΋ͷͷΈΛ࣮ߦ͢Δ

Slide 14

Slide 14 text

Nuxt.jsͰͷઃఆํ๏ʹ͍ͭͯ

Slide 15

Slide 15 text

v1.1.0 ͰCSPରԠͨ͠

Slide 16

Slide 16 text

nuxt.config.js ɾcsp.enabled Λtrue ʹ͢Δ ɾcsp.policies ʹ࣮ߦΛڐՄ͢ΔυϝΠϯΛσΟ ϨΫςΟϒ͝ͱʹఆٛ͢Δ ɾࠓճͷαϯϓϧͰ͸ҎԼΛڐՄ͢Δઃఆ  ɹ - google analytics  ɹ - google tag manager  ɹ - youtube  ɹ - font awesome