Tweet
Tweet

Slide 1

Slide 1 text

SameSite Cookie Cybozu Frontend Expert Masashi Hirano @shisama

Slide 2

Slide 2 text

ฏ໺ ণ࢜ / Masashi Hirano @shisama_ shisama Node.js Core Collaborator ؔ੢NodeֶԂOrganizer

Slide 3

Slide 3 text

Agenda • CSRF • SameSite Cookie • Cookies default to SameSite=Lax

Slide 4

Slide 4 text

CSRF

Slide 5

Slide 5 text

ᶃ some-site.com ϩάΠϯ ᶄ Set-Cookie ᶅ ଞυϝΠϯ(CDN, Ad…) with ᶆ Request Response

Slide 6

Slide 6 text

ᶄ ✉ ᶅ evil.com Request Response ᶆ ߈ܸऀʹૹۚ͢ΔϑΥʔϜ ᶇ ෇͖ͰᶆΛPOST ᶉ pay.submit() ᶃ bank.com΁͸
 ɹϩάΠϯࡁ bank.com ᶈ

Slide 7

Slide 7 text

CSRF (ΫϩεαΠτϦΫΤετϑΥʔδΣϦ) 1. ԿΒ͔ͷํ๏Ͱѱҙͷ͋ΔαΠτʹ༠ಋͤ͞Δ 2. ϩάΠϯࡁͷϢʔβʔʹѱҙͷ͋ΔϑΥʔϜΛPOSTͤ͞Δ 3. αʔόʔ͸Cookieʹ͋ΔϩάΠϯηογϣϯID͕Ұக͢ΔͷͰϦΫΤ ετΛड͚ೖΕΔ 4. ѱҙͷ͋ΔPOST͕ॲཧ͞Εͯ߈ܸऀͷૢ࡞͕੒ޭ͢Δ
 ※ࠓճͷྫͰ͸RefererͷνΣοΫͳͲSameSite cookieҎ֎ͷରࡦ͸͋Γ·͢ɻ

Slide 8

Slide 8 text

SameSite cookie

Slide 9

Slide 9 text

Cookie • ηογϣϯIDͳͲΛอ࣋͢ΔͨΊʹ࢖ΘΕΔ͜ͱ͕ଟ͍ • αʔόʔଆ͕Set-Cookieͱ͍͏ϨεϙϯεϔομʔΛ෇༩
 e.g. Set-Cookie: sid=dfj3oia4jfkl1ered4fafdarq path=/ • ϒϥ΢βଆͰSet-Cookieͷ௨ΓΫοΩʔΛੜ੒͢Δ ${key}=${value} Cookieଐੑ

Slide 10

Slide 10 text

CookieʹઃఆͰ͖Δଐੑ &YQJSFT ΫοΩʔͷ༗ޮظݶɻ೔࣌λΠϜελϯϓͰࢦఆ .BY"HF ΫοΩʔͷظݶ·Ͱͷඵ਺ɻ&YQJSFTΑΓ༏ઌ͞ΕΔ %PNBJO ΫοΩʔͷૹ৴ઌΛࢦఆ 1BUI ΫοΩʔΛཁٻ͢Δ63-Λࢦఆ 4FDVSF 44-ͱ)5514Λ࢖ͬͨϦΫΤετͷͱ͖ͷΈΫοΩʔૹ৴ )UUQ0OMZ EPDVNFOUDPPLJF΍YIS͔ΒΞΫηεͰ͖ͳ͍ɻ944ͷܰݮʹ༗ޮ

Slide 11

Slide 11 text

SameSite Cookie • CookieʹઃఆͰ͖Δ৽͍͠ଐੑ • RFC͸·ͩυϥϑτ(RFC6265bis) • ΫϩεαΠτ΁ͷCookieͷૹ৴Λ੍ݶ͢Δ͜ͱ͕Ͱ͖Δ
 લड़ͷྫͩͱbank.comͷΫοΩʔΛevil.com͔Βૹ৴Ͱ͖ͳ͍Α͏ʹ੍ޚՄೳ • Set-Cookie: SID=1234567890abcdefg; Path=/; Domain=example.com; SameSite=Lax

Slide 12

Slide 12 text

SameSite=? • Strict:
 ɾଞͷυϝΠϯʹΫοΩʔΛૹΒͳ͍ • Lax:
 ɾΞυϨεόʔʹදࣔ͞Ε͍ͯΔURL͕มΘΔΑ͏ͳը໘ભҠɺ͔ͭGETͰ͋Ε͹ଞ ͷυϝΠϯͰ΋ΫοΩʔΛૹΔ
 ɾɺɺXHRͳͲʹΑΔଞͷυϝΠϯ΁ͷGETϦΫΤετ͸ΫοΩʔ ΛૹΒͳ͍ • None: υϝΠϯʹؔ܎ͳ͘ΫοΩʔΛૹΔ

Slide 13

Slide 13 text

SameSite=Strict • ผͷαΠτ͔ΒϦϯΫͰભҠͨ͠৔߹Cookie͕ૹ৴͞Εͳ͍ • ϩάΠϯࡁͰ΋ผυϝΠϯͷαΠτ͔ΒભҠ͢Δͱ΋͏Ұ౓ϩά Πϯ͢Δඞཁ͕͋Δ ᶄ ᶅ ϝʔϧ͔ΒSite A΁ͷϦϯΫΛΫϦοΫ Site A ᶆ ᶃ ϩάΠϯ ❌

Slide 14

Slide 14 text

SameSite=Lax • ผαΠτ͔ΒͷભҠͰ΋ϩάΠϯঢ়ଶ͸ҡ࣋Ͱ͖Δ • POSTͰ͸ΫοΩʔ͸ૹΒΕͳ͍ͨΊલड़ͷCSRFͷରࡦʹͳΔ ᶄ ᶅ ϝʔϧ͔ΒSite A΁ͷϦϯΫΛΫϦοΫ Site A ᶆ ᶃ ϩάΠϯ ̋

Slide 15

Slide 15 text

https://caniuse.com/#feat=same-site-cookie-attribute

Slide 16

Slide 16 text

Cookies default to SameSite=Lax

Slide 17

Slide 17 text

https://www.chromestatus.com/feature/5088147346030592

Slide 18

Slide 18 text

SameSite=Lax͕σϑΥϧτʹ • ݱࡏ͸SameSiteΛࢦఆ͍ͯ͠ͳ͍ͱNoneͱಉ͡ • Chrome 80͔ΒSameSiteͷࢦఆ͕ͳ͍৔߹ɺCookie͸Laxͱಉ ͡Α͏ʹѻ͏༧ఆ • SameSite=NoneΛࢦఆ͢Δͱࠓ·Ͱͱಉ͡

Slide 19

Slide 19 text

chrome://flags/#same-site-by-default-cookies #same-site-by-default-cookies ݱࡏͰ΋ϑϥάΛ༗ޮʹ͢Δ͜ͱͰ4BNF4JUF-BYΛσ ϑΥϧτʹ͢Δ͜ͱ͕Ͱ͖Δ

Slide 20

Slide 20 text

https://www.hatena.ne.jp/ SameSite=Lax by defaultʹΑΔӨڹ ϩάΠϯ͍ͯ͠Δঢ়ଶ

Slide 21

Slide 21 text

https://www.hatena.ne.jp/ ϩάΠϯ͞Ε͍ͯͳ͍ͱ൑அ͞Ε͍ͯΔ ˞࣮ࡍ͸ϩάΠϯ͍ͯ͠Δ

Slide 22

Slide 22 text

http://hatenablog.com/ αʔυύʔςΟ$PPLJF͕ແޮͷܯࠂ͕දࣔɻ ϩάΠϯ͞Ε͍ͯͳ͍ͱ൑அ͞Ε͍ͯΔ ˞࣮ࡍ͸ϩάΠϯ͍ͯ͠Δ

Slide 23

Slide 23 text

• ݱߦ௨Γͷڍಈʹ͢ΔͳΒSameSite=Noneʹ͢Δඞཁ͕͋Δ αʔϏε͕͋Δ • ޿ࠂͳͲ΋ಉ༷ʹ͏·͘ಈ࡞͠ͳ͘ͳΔՄೳੑ͕͋Δ SameSite=LaxʹΑΔӨڹ

Slide 24

Slide 24 text

https://www.chromestatus.com/feature/5633521622188032 4FDVSFଐੑͷແ͍4BNF4JUF/POFͰ͸ΫοΩʔ͸ૹ৴͞Εͳ͍

Slide 25

Slide 25 text

※ͨ·ͨ·ݟ͚ͭͨͷ͕Α͘ར༻͢Δ͸ͯͳͷαʔϏε Ͱ͕ͨ͠ɺ͸ͯͳͷαʔϏεʹର͢Δ໰୊఺ͷࢦఠΛ͢ ΔҙਤͳͲ͸͍͟͝·ͤΜɻ ͍ͪϢʔβʔͱͯ͠͸ͯͳͷαʔϏε͸޷͖Ͱ͢ɻ

Slide 26

Slide 26 text

·ͱΊ • SameSite cookie͸CSRFରࡦʹ༗ޮ • Chrome 80͔ΒSameSiteΛࢦఆ͍ͯ͠ͳ͍ͱLax૬౰ʹͳΔ • SameSite=Lax ରԠ͠ͳ͍ͱ͍͚ͳ͍͔΋…

Slide 27

Slide 27 text

https://2019.kfug.jp ϑϩϯτΤϯυΧϯϑΝϨϯεͰηΩϡϦςΟͷ࿩Λ͠·͢

Slide 28

Slide 28 text

Thanks. @shisama_ shisama