Share
Embed
Slide 1
Slide 1 text
SameSite
Cookie
Cybozu Frontend Expert
Masashi Hirano @shisama
Slide 2
Slide 2 text
ฏ ণ࢜ / Masashi Hirano
@shisama_
shisama
Node.js Core Collaborator
ؔNodeֶԂOrganizer
Slide 3
Slide 3 text
Agenda
• CSRF
• SameSite Cookie
• Cookies default to SameSite=Lax
Slide 4
Slide 4 text
CSRF
Slide 5
Slide 5 text
ᶃ some-site.com ϩάΠϯ
ᶄ Set-Cookie
ᶅ ଞυϝΠϯ(CDN, Ad…) with
ᶆ
Request
Response
Slide 6
Slide 6 text
ᶄ ✉
ᶅ evil.com
Request
Response
ᶆ ߈ܸऀʹૹۚ͢ΔϑΥʔϜ
ᶇ ͖ͰᶆΛPOST
ᶉ
pay.submit()
ᶃ bank.com
ɹϩάΠϯࡁ
bank.com
ᶈ
Slide 7
Slide 7 text
CSRF (ΫϩεαΠτϦΫΤετϑΥʔδΣϦ)
1. ԿΒ͔ͷํ๏Ͱѱҙͷ͋ΔαΠτʹ༠ಋͤ͞Δ
2. ϩάΠϯࡁͷϢʔβʔʹѱҙͷ͋ΔϑΥʔϜΛPOSTͤ͞Δ
3. αʔόʔCookieʹ͋ΔϩάΠϯηογϣϯID͕Ұக͢ΔͷͰϦΫΤ
ετΛड͚ೖΕΔ
4. ѱҙͷ͋ΔPOST͕ॲཧ͞Εͯ߈ܸऀͷૢ࡞͕ޭ͢Δ
※ࠓճͷྫͰRefererͷνΣοΫͳͲSameSite cookieҎ֎ͷରࡦ͋Γ·͢ɻ
Slide 8
Slide 8 text
SameSite cookie
Slide 9
Slide 9 text
Cookie
• ηογϣϯIDͳͲΛอ࣋͢ΔͨΊʹΘΕΔ͜ͱ͕ଟ͍
• αʔόʔଆ͕Set-Cookieͱ͍͏ϨεϙϯεϔομʔΛ༩
e.g. Set-Cookie: sid=dfj3oia4jfkl1ered4fafdarq path=/
• ϒϥβଆͰSet-Cookieͷ௨ΓΫοΩʔΛੜ͢Δ
${key}=${value} Cookieଐੑ
Slide 10
Slide 10 text
CookieʹઃఆͰ͖Δଐੑ
&YQJSFT ΫοΩʔͷ༗ޮظݶɻ࣌λΠϜελϯϓͰࢦఆ
.BY"HF ΫοΩʔͷظݶ·Ͱͷඵɻ&YQJSFTΑΓ༏ઌ͞ΕΔ
%PNBJO ΫοΩʔͷૹ৴ઌΛࢦఆ
1BUI ΫοΩʔΛཁٻ͢Δ63-Λࢦఆ
4FDVSF 44-ͱ)5514ΛͬͨϦΫΤετͷͱ͖ͷΈΫοΩʔૹ৴
)UUQ0OMZ EPDVNFOUDPPLJFYIS͔ΒΞΫηεͰ͖ͳ͍ɻ944ͷܰݮʹ༗ޮ
Slide 11
Slide 11 text
SameSite Cookie
• CookieʹઃఆͰ͖Δ৽͍͠ଐੑ
• RFC·ͩυϥϑτ(RFC6265bis)
• ΫϩεαΠτͷCookieͷૹ৴Λ੍ݶ͢Δ͜ͱ͕Ͱ͖Δ
લड़ͷྫͩͱbank.comͷΫοΩʔΛevil.com͔Βૹ৴Ͱ͖ͳ͍Α͏ʹ੍ޚՄೳ
• Set-Cookie: SID=1234567890abcdefg; Path=/; Domain=example.com;
SameSite=Lax
Slide 12
Slide 12 text
SameSite=?
• Strict:
ɾଞͷυϝΠϯʹΫοΩʔΛૹΒͳ͍
• Lax:
ɾΞυϨεόʔʹදࣔ͞Ε͍ͯΔURL͕มΘΔΑ͏ͳը໘ભҠɺ͔ͭGETͰ͋Εଞ
ͷυϝΠϯͰΫοΩʔΛૹΔ
ɾ![]()
ɺɺXHRͳͲʹΑΔଞͷυϝΠϯͷGETϦΫΤετΫοΩʔ
ΛૹΒͳ͍
• None: υϝΠϯʹؔͳ͘ΫοΩʔΛૹΔ
Slide 13
Slide 13 text
SameSite=Strict
• ผͷαΠτ͔ΒϦϯΫͰભҠͨ͠߹Cookie͕ૹ৴͞Εͳ͍
• ϩάΠϯࡁͰผυϝΠϯͷαΠτ͔ΒભҠ͢Δͱ͏Ұϩά
Πϯ͢Δඞཁ͕͋Δ
ᶄ
ᶅ ϝʔϧ͔ΒSite AͷϦϯΫΛΫϦοΫ
Site A
ᶆ
ᶃ ϩάΠϯ
❌
Slide 14
Slide 14 text
SameSite=Lax
• ผαΠτ͔ΒͷભҠͰϩάΠϯঢ়ଶҡ࣋Ͱ͖Δ
• POSTͰΫοΩʔૹΒΕͳ͍ͨΊલड़ͷCSRFͷରࡦʹͳΔ
ᶄ
ᶅ ϝʔϧ͔ΒSite AͷϦϯΫΛΫϦοΫ
Site A
ᶆ
ᶃ ϩάΠϯ
̋
Slide 15
Slide 15 text
https://caniuse.com/#feat=same-site-cookie-attribute
Slide 16
Slide 16 text
Cookies default to SameSite=Lax
Slide 17
Slide 17 text
https://www.chromestatus.com/feature/5088147346030592
Slide 18
Slide 18 text
SameSite=Lax͕σϑΥϧτʹ
• ݱࡏSameSiteΛࢦఆ͍ͯ͠ͳ͍ͱNoneͱಉ͡
• Chrome 80͔ΒSameSiteͷࢦఆ͕ͳ͍߹ɺCookieLaxͱಉ
͡Α͏ʹѻ͏༧ఆ
• SameSite=NoneΛࢦఆ͢Δͱࠓ·Ͱͱಉ͡
Slide 19
Slide 19 text
chrome://flags/#same-site-by-default-cookies
#same-site-by-default-cookies
ݱࡏͰϑϥάΛ༗ޮʹ͢Δ͜ͱͰ4BNF4JUF
-BYΛσ
ϑΥϧτʹ͢Δ͜ͱ͕Ͱ͖Δ
Slide 20
Slide 20 text
https://www.hatena.ne.jp/
SameSite=Lax by defaultʹΑΔӨڹ
ϩάΠϯ͍ͯ͠Δঢ়ଶ
Slide 21
Slide 21 text
https://www.hatena.ne.jp/
ϩάΠϯ͞Ε͍ͯͳ͍ͱஅ͞Ε͍ͯΔ
˞࣮ࡍϩάΠϯ͍ͯ͠Δ
Slide 22
Slide 22 text
http://hatenablog.com/
αʔυύʔςΟ$PPLJF͕ແޮͷܯࠂ͕දࣔɻ
ϩάΠϯ͞Ε͍ͯͳ͍ͱஅ͞Ε͍ͯΔ
˞࣮ࡍϩάΠϯ͍ͯ͠Δ
Slide 23
Slide 23 text
• ݱߦ௨Γͷڍಈʹ͢ΔͳΒSameSite=Noneʹ͢Δඞཁ͕͋Δ
αʔϏε͕͋Δ
• ࠂͳͲಉ༷ʹ͏·͘ಈ࡞͠ͳ͘ͳΔՄೳੑ͕͋Δ
SameSite=LaxʹΑΔӨڹ
Slide 24
Slide 24 text
https://www.chromestatus.com/feature/5633521622188032
4FDVSFଐੑͷແ͍4BNF4JUF
/POFͰΫοΩʔૹ৴͞Εͳ͍
Slide 25
Slide 25 text
※ͨ·ͨ·ݟ͚ͭͨͷ͕Α͘ར༻͢ΔͯͳͷαʔϏε
Ͱ͕ͨ͠ɺͯͳͷαʔϏεʹର͢ΔͷࢦఠΛ͢
ΔҙਤͳͲ͍͟͝·ͤΜɻ
͍ͪϢʔβʔͱͯͯ͠ͳͷαʔϏε͖Ͱ͢ɻ
Slide 26
Slide 26 text
·ͱΊ
• SameSite cookieCSRFରࡦʹ༗ޮ
• Chrome 80͔ΒSameSiteΛࢦఆ͍ͯ͠ͳ͍ͱLax૬ʹͳΔ
• SameSite=Lax ରԠ͠ͳ͍ͱ͍͚ͳ͍͔…
Slide 27
Slide 27 text
https://2019.kfug.jp
ϑϩϯτΤϯυΧϯϑΝϨϯεͰηΩϡϦςΟͷΛ͠·͢
Slide 28
Slide 28 text
Thanks.
@shisama_
shisama