Reconsider Content Security Policy for WEB Application

Transcript

1. ໐ւ߂ً
   
   (.0
   1FQBCP
   *OD
   
   ϗε5FDI.5( 8&#ΞϓϦέʔγϣϯͷ
 Ϧιʔε؅ཧͪΌΜͱ΍Ζ͏

2. ΤϯδχΞ ໐ւ߂ً
   !TVOFDPTVSJ ϗεςΟϯάࣄۀ෦ϗεςΟϯάάϧʔϓ
 ϚωʔδυΫϥ΢υνʔϜ

3. ɾΫϩεαΠτϦΫΤετϑΥʔδΣϦʢ$43'ʣ ɾΠϯδΣΫγϣϯ߈ܸ ɾσΟϨΫτϦτϥόʔαϧ ɾΫϩεαΠτεΫϦϓςΟϯάʢ944ʣ ɾΫϦοΫδϟοΩϯά ɾϝʔϧϔομʔΠϯδΣΫγϣϯ ߈ܸख๏ FUD
   
   

4. ɾ8FC
   "QQMJDBUJPO
   'JSFXBMM 8"' ɾ4UBUJD
   DPEF
   BOBMZTJT ɾ$POUFOU
   4FDVSJUZ
   1PMJDZ $41 ɾใ঑ۚ ɾηΩϡϦςΟ؂ࠪ ߈ܸख๏ʹର͢ΔΞϓϩʔν

5. ηΩϡϦςΟͱ͍ͬͯ΋Ұഋ͋ΔͷͰɺ

6. ϚωʔδυΫϥ΢υͰ࣮૷ͨ͠
 ҎԼͷରࡦʹͭͳ͕ΔΞϓϩʔνͷҰͭΛ͓࿩͠͠·͢ w944
 8FCαΠτ΁ɺѱҙͷ͋ΔεΫϦϓτΛຒΊࠐΉ߈ܸख๏
   wΠϯδΣΫγϣϯ߈ܸ
 ϓϩάϥϜ͕ແޮͳσʔλΛॲཧͨ͠৔߹ʹग़ݱ͢ΔόάΛɺ߈ܸऀ͕ѱ༻͠ෆਖ਼ͳ໋ྩΛ࣮ߦ͢Δ߈ܸख๏
   wΫϦοΫδϟοΩϯά
 8FCϖʔδͷར༻ऀʹର͠ѱҙΛ΋ͬͯ࢖༻͞ΕΔٕज़ͷҰछͰɺϦϯΫ΍ϘλϯͳͲͷཁૉΛӅṭɾِ૷͠ ͯΫϦοΫΛ༠͍ɺར༻ऀͷҙਤ͠ͳ͍ಈ࡞Λͤ͞Α͏ͱ͢Δ߈ܸख๏

7. $POUFOU
   4FDVSJUZ
   1PMJDZ

8. $POUFOU
   4FDVSJUZ
   1PMJDZ
   $41
   ͱ͸ɺΫϩ εαΠτεΫϦϓςΟϯά
   944
   ΍σʔλ Λࠩ͠ࠐΉ߈ܸͳͲͱ͍ͬͨɺಛఆͷछྨͷ ߈ܸΛݕ஌͠ɺӨڹΛܰݮ͢ΔͨΊʹ௥ՃͰ ͖ΔηΩϡϦςΟϨΠϠʔͰ͢ɻ .%/
   XFC
   %PDT
   


   IUUQTEFWFMPQFSNP[JMMBPSHKBEPDT8FC)551$41
   ɹɹ

9. $41ͱ͸ ࣮ߦΛڐՄ͢ΔϦιʔεͷϦετΛઃఆ͠ɺ
 Ϧετʹؚ·Εͳ͍Ϧιʔε͸ϒϥ΢βଆͰ
   ϒϩοΫ͢Δ΋ͷ

10. w*OMJOF
    4DSJQU
    ͷ࣮ߦ
    w؅ཧऀͷҙਤ͠ͳ͍ϦιʔεͷಡΈࠐΈ
 ͳʹΛ๷͙͜ͱ͕Ͱ͖Δͷ͔ FWJMFYBNQMFDPNFWJM KT DEOFYBNQMFUFTUTBNQMFKT
    
    0, DEOFYBNQMFUFTUIPHFKQH
    0, FYBNQMFUFTUGVHBKT
    
    
    
    
    
    0, $41
    XIJUFMJTU ❌

    8FCαʔόʔ ѱҙͷ͋Δਓ
11. None

12. ϒϥ΢βରԠঢ়گ

13. $41ͷར༻ྫ ɾ DEOFYBNQMFDPN
    ͱ͍͏$%/͔Β+BWB4DSJQU
    ΛಡΈࠐΉ͕ɺ
 ͦΕҎ֎͸ڐՄ͠ͳ͍
    ɾ ಉҰυϝΠϯͷը૾Ҏ֎͸ಡΈࠐ·ͳ͍
    ɾ εΫϦϓτΛ࣮ߦͤͨ͘͞ͳ͍ͷͰ࣮ߦͦͷ΋ͷΛશ໘తʹڋ൱͢Δ
 FUDʜ

14. $41ಋೖͷσϝϦοτ w *&͸ରԠϒϥ΢βʹؚΊͳ͍΋ͷͱ͢Δඞཁ͕͋Δ
    w ӡ༻͕ͦͦ͜͜໘౗͍͘͞
    w ϗϫΠτϦετͷߋ৽Λ͠ଓ͚Δඞཁ͕ग़ͯ͘Δ
    w ։ൃνʔϜ͸$POUFOU
    4FDVSJUZ
    1PMJDZΛৗʹߟྀͯ͠։ൃ͢Δඞཁ͕ग़ͯ͘Δ
    w

    ద੾ʹ؅ཧ͞Ε͍ͯͳ͚Ε͹ɺ944߈ܸͷର৅ʹͳΔ
    w ϒϥ΢β࣮૷ʹ͓͍ͯࠩҟ͕͋Δ
    w ಋೖޙɺ+BWB4DSJQUͷϥΠϒϥϦͳͲ͕Ұ෦ಈ͔ͳ͘ͳΔՄೳੑ΋ʜ

15. ϙϦγʔͷछྨ σΟϨΫςΟϒ Өڹൣғ EFGBVMUTSD σϑΥϧτͰڐՄ͢Δઃఆ JNHTSD
    'BWJDPO΍ը૾ TDSJQUTSD +BWB4DSJQUͷίʔυ PCKFDUTSD

    PCKFDU
    FNCFE
    BQQMFU NFEJBTSD WJEFP
    DBOWBT GPOUTSD !GPOUGBDF TUZMFTSD TUZMF
    DTT GSBNFTSD JGSBNF

16. $41ͷઃఆํ๏ add_header Content-Security-Policy default-src ‘self’; αʔόଆͰϨεϙϯεϔομʹʮ$POUFOU4FDVSJUZ1PMJDZʯΛग़ྗ͢ΔઃఆΛ௥ه͢Δ
    NFUB
    λάʹ
    IUUQFRVJW
    ଐੑΛ࢖༻ͯ͠ઃఆ͢Δ͜ͱ΋ग़དྷ·͢ɻ

17. ɾ֎෦ͷ+BWB4DSJQUͷಡΈࠐΈ
    ɾ)5.-ʹهड़ͨ͠TDSJQUTDSJQUͷ+BWB4DSJQU
    ɾΠϕϯτଐੑ POMPBEYYYYͳͲ ͜ͷઃఆʹΑΓҎԼ͕ېࢭ͞ΕΔ

18. ݫ͗ͯ͢͠࢖͑ͳ͍

19. )5.-ʹهड़ͨ͠TDSJQUϒϩοΫ͸࣮ߦ͞Εͳ͍ͷͰ֎෦ͷTDSJQUʹ੾Γग़͢ $41ͷઃఆํ๏ʢ(PPHMF
    "OBMZUJDT
    ΛڐՄ͢Δ৔߹ʣ

20. ੾Γग़ͨ͠TDSJQUΛHBKTͳͲͰอଘ )5.-ͷιʔεʹ֎෦εΫϦϓτͱͯ͠ಡΈࠐΉ $41ͷઃఆํ๏ʢ(PPHMF
    "OBMZUJDT
    ΛڐՄ͢Δ৔߹ʣ

21. add_header Content-Security-Policy default-src ‘none’; script-src ‘self’ www.google-analytics.com; img-src www.google-analytics.com; JavaScript͸શͯ*.jsϑΝΠϧʹهड़ͯ͠֎෦ͷscriptͱͯ͠ಡΈࠐΈɺ

    Մม͢Δ஋͸HTMLଆʹدͤΔͳͲίʔυͱσʔλΛ෼཭͢Δඞཁ͕͋Δ $41ͷઃఆํ๏ʢ(PPHMF
    "OBMZUJDT
    ΛڐՄ͢Δ৔߹ʣ

22. ͦͷଞͷઃఆํ๏ OPODF OPODFͷͳ͍TDSJQUλά͸࣮ߦ͠ͳ͍Α͏ʹ͢Δ͜ͱ͕Ͱ͖Δ // nonce-base64ͷ஋ 
 add_header Content-Security-Policy script-src ‘nonce-2726c7f26c’;

23. ͦͷଞͷઃఆํ๏ IBTI 4)"ͰϋογϡԽͨ͠TDSJQUΛڐՄ͢Δ add_header Content-Security-Policy script-src ‘sha256-gPMJwWBMWDx0Cm7ZygJKZIU2vZpiYvzUQjl5Rh37hKs=';

24. ࠔͬͨ࣌ͷઃఆํ๏ FWBM
    Λ࢖Θͳ͍ͱ͍͚ͳ͍৔߹ɺVOTBGFFWBM
    ΦϓγϣϯΛ௥ه͢Δ add_header Content-Security-Policy script-src ‘unsafe-eval’; ΠϯϥΠϯཁૉΛ࢖Θͳ͍ͱ͍͚ͳ͍৔߹ɺVOTBGFJOMJOF
    ΦϓγϣϯΛ௥ه͢Δ add_header Content-Security-Policy script-src

    ‘unsafe-inline’;

25. Ϩϙʔτϩάͷૹ৴ SFQPSUVSJ
    ΦϓγϣϯΛ௥ه͢Δ͜ͱͰϨϙʔτΛ೚ҙͷ63-ʹKTPO
    Ͱ
    1045͢Δ͜ͱ͕Ͱ͖Δ add_header Content-Security-Policy default-src ‘self'; report-uri http://example.test/collector.js; +40/ܗࣜͰϨϙʔτ಺༰͕ҎԼͷΑ͏ͳ಺༰Ͱ1045͞ΕΔ

26. ·ͱΊ w 8FC
    αΠτΛ҆શʹߏங͢Δͷ͸೉͍͠͠ɺ$41͕શͯΛղܾ͢Δ΋ͷͰ͸ͳ͍
    w $41Λ༻͍࣮ͯߦΛڐՄ͢ΔϦιʔεΛద੾ʹઃఆ͢Δ͜ͱͰࠓΑΓ΋ηΩϡΞ
 ˠ$41ͷಋೖ࣌ɺ෭࣍తʹ)5.-ɺ+BWB4DSJQUɺ$44ͷ෼཭ʹͭͳ͕Δ
    w ֎෦ϦιʔεΛࢦఆ͢Δͱ͖VOTBGFJOMJOF
    VOTBGFFWBM
    Λ࢖͏΂͖͔͖ͪΜͱߟ͑Δ
 ˠ
    944͕੒ޭ͢ΔڪΕ͕͋ΔͨΊIBTI΍OPODF
    ͷ׆༻Λݕ౼͢Δ
    

    w ϨϙʔτϩάͳͲΛऩूͯ͠߈ܸͷ܏޲΍ରࡦཱ͕ͯΒΕΔͱߋʹΑͦ͞͏

27. ࢀߟࢿྉ w$POUFOU
    4FDVSJUZ
    1PMJDZ
    $41
    
    )551
    c
    .%/
 IUUQTEFWFMPQFSNP[JMMBPSHKBEPDT8FC)551$41
    w$POUFOU
    4FDVSJUZ
    1PMJDZ
    -FWFM
    
 IUUQTEFWFMPQFSNP[JMMBPSHKBEPDT8FC)551$41
    wฐࣾͷϗʔϜϖʔδʹ$POUFOU
    4FDVSJUZ
    1PMJDZ $41 Λಋೖ͠·ͨ͠


    IUUQCMPHFHTFDVSFDPKQ$POUFOU4FDVSJUZ1PMJDZ$41IUNM
 )"4)ίϯαϧςΟϯάΦϑΟγϟϧϒϩά