Reconsider Content Security Policy for WEB Application

໐ւ߂ً(.01FQBCP *OD ϗε5FDI.5( 8&#ΞϓϦέʔγϣϯͷ  Ϧιʔε؅ཧͪΌΜͱ΍Ζ͏

ΤϯδχΞ ໐ւ߂ً!TVOFDPTVSJ ϗεςΟϯάࣄۀ෦ϗεςΟϯάάϧʔϓ  ϚωʔδυΫϥ΢υνʔϜ

ɾΫϩεαΠτϦΫΤετϑΥʔδΣϦʢ$43'ʣ ɾΠϯδΣΫγϣϯ߈ܸ ɾσΟϨΫτϦτϥόʔαϧ ɾΫϩεαΠτεΫϦϓςΟϯάʢ944ʣ ɾΫϦοΫδϟοΩϯά ɾϝʔϧϔομʔΠϯδΣΫγϣϯ ߈ܸख๏ FUD

ɾ8FC"QQMJDBUJPO'JSFXBMM 8"' ɾ4UBUJDDPEFBOBMZTJT ɾ$POUFOU4FDVSJUZ1PMJDZ $41 ɾใ঑ۚ ɾηΩϡϦςΟ؂ࠪ ߈ܸख๏ʹର͢ΔΞϓϩʔν

ηΩϡϦςΟͱ͍ͬͯ΋Ұഋ͋ΔͷͰɺ

ϚωʔδυΫϥ΢υͰ࣮૷ͨ͠  ҎԼͷରࡦʹͭͳ͕ΔΞϓϩʔνͷҰͭΛ͓࿩͠͠·͢ w944  8FCαΠτ΁ɺѱҙͷ͋ΔεΫϦϓτΛຒΊࠐΉ߈ܸख๏ wΠϯδΣΫγϣϯ߈ܸ  ϓϩάϥϜ͕ແޮͳσʔλΛॲཧͨ͠৔߹ʹग़ݱ͢ΔόάΛɺ߈ܸऀ͕ѱ༻͠ෆਖ਼ͳ໋ྩΛ࣮ߦ͢Δ߈ܸख๏ wΫϦοΫδϟοΩϯά  8FCϖʔδͷར༻ऀʹର͠ѱҙΛ΋ͬͯ࢖༻͞ΕΔٕज़ͷҰछͰɺϦϯΫ΍ϘλϯͳͲͷཁૉΛӅṭɾِ૷͠ ͯΫϦοΫΛ༠͍ɺར༻ऀͷҙਤ͠ͳ͍ಈ࡞Λͤ͞Α͏ͱ͢Δ߈ܸख๏

$POUFOU4FDVSJUZ1PMJDZ

$POUFOU4FDVSJUZ1PMJDZ $41 ͱ͸ɺΫϩ εαΠτεΫϦϓςΟϯά 944 ΍σʔλ Λࠩ͠ࠐΉ߈ܸͳͲͱ͍ͬͨɺಛఆͷछྨͷ ߈ܸΛݕ஌͠ɺӨڹΛܰݮ͢ΔͨΊʹ௥ՃͰ ͖ΔηΩϡϦςΟϨΠϠʔͰ͢ɻ .%/XFC%PDT 
IUUQTEFWFMPQFSNP[JMMBPSHKBEPDT8FC)551$41ɹɹ

$41ͱ͸ ࣮ߦΛڐՄ͢ΔϦιʔεͷϦετΛઃఆ͠ɺ  Ϧετʹؚ·Εͳ͍Ϧιʔε͸ϒϥ΢βଆͰ ϒϩοΫ͢Δ΋ͷ

w*OMJOF4DSJQUͷ࣮ߦ w؅ཧऀͷҙਤ͠ͳ͍ϦιʔεͷಡΈࠐΈ  ͳʹΛ๷͙͜ͱ͕Ͱ͖Δͷ͔ FWJMFYBNQMFDPNFWJM KT DEOFYBNQMFUFTUTBNQMFKT0, DEOFYBNQMFUFTUIPHFKQH0, FYBNQMFUFTUGVHBKT0, $41XIJUFMJTU ❌
8FCαʔόʔ ѱҙͷ͋Δਓ

ϒϥ΢βରԠঢ়گ

$41ͷར༻ྫ ɾ DEOFYBNQMFDPNͱ͍͏$%/͔Β+BWB4DSJQUΛಡΈࠐΉ͕ɺ  ͦΕҎ֎͸ڐՄ͠ͳ͍ ɾ ಉҰυϝΠϯͷը૾Ҏ֎͸ಡΈࠐ·ͳ͍ ɾ εΫϦϓτΛ࣮ߦͤͨ͘͞ͳ͍ͷͰ࣮ߦͦͷ΋ͷΛશ໘తʹڋ൱͢Δ  FUDʜ

$41ಋೖͷσϝϦοτ w *&͸ରԠϒϥ΢βʹؚΊͳ͍΋ͷͱ͢Δඞཁ͕͋Δ w ӡ༻͕ͦͦ͜͜໘౗͍͘͞ w ϗϫΠτϦετͷߋ৽Λ͠ଓ͚Δඞཁ͕ग़ͯ͘Δ w ։ൃνʔϜ͸$POUFOU4FDVSJUZ1PMJDZΛৗʹߟྀͯ͠։ൃ͢Δඞཁ͕ग़ͯ͘Δ w
ద੾ʹ؅ཧ͞Ε͍ͯͳ͚Ε͹ɺ944߈ܸͷର৅ʹͳΔ w ϒϥ΢β࣮૷ʹ͓͍ͯࠩҟ͕͋Δ w ಋೖޙɺ+BWB4DSJQUͷϥΠϒϥϦͳͲ͕Ұ෦ಈ͔ͳ͘ͳΔՄೳੑ΋ʜ

ϙϦγʔͷछྨ σΟϨΫςΟϒ Өڹൣғ EFGBVMUTSD σϑΥϧτͰڐՄ͢Δઃఆ JNHTSD 'BWJDPO΍ը૾ TDSJQUTSD +BWB4DSJQUͷίʔυ PCKFDUTSD
PCKFDUFNCFEBQQMFU NFEJBTSD WJEFPDBOWBT GPOUTSD !GPOUGBDF TUZMFTSD TUZMFDTT GSBNFTSD JGSBNF

$41ͷઃఆํ๏ add_header Content-Security-Policy default-src ‘self’; αʔόଆͰϨεϙϯεϔομʹʮ$POUFOU4FDVSJUZ1PMJDZʯΛग़ྗ͢ΔઃఆΛ௥ه͢Δ NFUBλάʹIUUQFRVJWଐੑΛ࢖༻ͯ͠ઃఆ͢Δ͜ͱ΋ग़དྷ·͢ɻ

ɾ֎෦ͷ+BWB4DSJQUͷಡΈࠐΈ ɾ)5.-ʹهड़ͨ͠TDSJQUTDSJQUͷ+BWB4DSJQU ɾΠϕϯτଐੑ POMPBEYYYYͳͲ ͜ͷઃఆʹΑΓҎԼ͕ېࢭ͞ΕΔ

ݫ͗ͯ͢͠࢖͑ͳ͍

)5.-ʹهड़ͨ͠TDSJQUϒϩοΫ͸࣮ߦ͞Εͳ͍ͷͰ֎෦ͷTDSJQUʹ੾Γग़͢ $41ͷઃఆํ๏ʢ(PPHMF"OBMZUJDTΛڐՄ͢Δ৔߹ʣ

੾Γग़ͨ͠TDSJQUΛHBKTͳͲͰอଘ )5.-ͷιʔεʹ֎෦εΫϦϓτͱͯ͠ಡΈࠐΉ $41ͷઃఆํ๏ʢ(PPHMF"OBMZUJDTΛڐՄ͢Δ৔߹ʣ

add_header Content-Security-Policy default-src ‘none’; script-src ‘self’ www.google-analytics.com; img-src www.google-analytics.com; JavaScript͸શͯ*.jsϑΝΠϧʹهड़ͯ͠֎෦ͷscriptͱͯ͠ಡΈࠐΈɺ
Մม͢Δ஋͸HTMLଆʹدͤΔͳͲίʔυͱσʔλΛ෼཭͢Δඞཁ͕͋Δ $41ͷઃఆํ๏ʢ(PPHMF"OBMZUJDTΛڐՄ͢Δ৔߹ʣ

ͦͷଞͷઃఆํ๏ OPODF OPODFͷͳ͍TDSJQUλά͸࣮ߦ͠ͳ͍Α͏ʹ͢Δ͜ͱ͕Ͱ͖Δ // nonce-base64ͷ஋   add_header Content-Security-Policy script-src ‘nonce-2726c7f26c’;

ͦͷଞͷઃఆํ๏ IBTI 4)"ͰϋογϡԽͨ͠TDSJQUΛڐՄ͢Δ add_header Content-Security-Policy script-src ‘sha256-gPMJwWBMWDx0Cm7ZygJKZIU2vZpiYvzUQjl5Rh37hKs=';

ࠔͬͨ࣌ͷઃఆํ๏ FWBMΛ࢖Θͳ͍ͱ͍͚ͳ͍৔߹ɺVOTBGFFWBMΦϓγϣϯΛ௥ه͢Δ add_header Content-Security-Policy script-src ‘unsafe-eval’; ΠϯϥΠϯཁૉΛ࢖Θͳ͍ͱ͍͚ͳ͍৔߹ɺVOTBGFJOMJOFΦϓγϣϯΛ௥ه͢Δ add_header Content-Security-Policy script-src
‘unsafe-inline’;

Ϩϙʔτϩάͷૹ৴ SFQPSUVSJΦϓγϣϯΛ௥ه͢Δ͜ͱͰϨϙʔτΛ೚ҙͷ63-ʹKTPOͰ1045͢Δ͜ͱ͕Ͱ͖Δ add_header Content-Security-Policy default-src ‘self'; report-uri http://example.test/collector.js; +40/ܗࣜͰϨϙʔτ಺༰͕ҎԼͷΑ͏ͳ಺༰Ͱ1045͞ΕΔ

·ͱΊ w 8FCαΠτΛ҆શʹߏங͢Δͷ͸೉͍͠͠ɺ$41͕શͯΛղܾ͢Δ΋ͷͰ͸ͳ͍ w $41Λ༻͍࣮ͯߦΛڐՄ͢ΔϦιʔεΛద੾ʹઃఆ͢Δ͜ͱͰࠓΑΓ΋ηΩϡΞ  ˠ$41ͷಋೖ࣌ɺ෭࣍తʹ)5.-ɺ+BWB4DSJQUɺ$44ͷ෼཭ʹͭͳ͕Δ w ֎෦ϦιʔεΛࢦఆ͢Δͱ͖VOTBGFJOMJOF VOTBGFFWBMΛ࢖͏΂͖͔͖ͪΜͱߟ͑Δ  ˠ944͕੒ޭ͢ΔڪΕ͕͋ΔͨΊIBTI΍OPODFͷ׆༻Λݕ౼͢Δ
w ϨϙʔτϩάͳͲΛऩूͯ͠߈ܸͷ܏޲΍ରࡦཱ͕ͯΒΕΔͱߋʹΑͦ͞͏

ࢀߟࢿྉ w$POUFOU4FDVSJUZ1PMJDZ $41 )551c.%/  IUUQTEFWFMPQFSNP[JMMBPSHKBEPDT8FC)551$41 w$POUFOU4FDVSJUZ1PMJDZ-FWFM  IUUQTEFWFMPQFSNP[JMMBPSHKBEPDT8FC)551$41 wฐࣾͷϗʔϜϖʔδʹ$POUFOU4FDVSJUZ1PMJDZ $41 Λಋೖ͠·ͨ͠ 
IUUQCMPHFHTFDVSFDPKQ$POUFOU4FDVSJUZ1PMJDZ$41IUNM  )"4)ίϯαϧςΟϯάΦϑΟγϟϧϒϩά  

Reconsider Content Security Policy for WEB Appl...

Reconsider Content Security Policy for WEB Application

sunecosuri

More Decks by sunecosuri

Featured

Transcript