Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Reconsider Content Security Policy for WEB Application

0631f2e33b42847ae5dedbdd53e1c1a4?s=47 sunecosuri
April 26, 2018
62

Reconsider Content Security Policy for WEB Application

ContentSecurityPolicyの導入に際してまとめたものです

0631f2e33b42847ae5dedbdd53e1c1a4?s=128

sunecosuri

April 26, 2018
Tweet

Transcript

  1. ໐ւ߂ً(.01FQBCP *OD ϗε5FDI.5( 8&#ΞϓϦέʔγϣϯͷ
 Ϧιʔε؅ཧͪΌΜͱ΍Ζ͏

  2. ΤϯδχΞ ໐ւ߂ً!TVOFDPTVSJ ϗεςΟϯάࣄۀ෦ϗεςΟϯάάϧʔϓ
 ϚωʔδυΫϥ΢υνʔϜ

  3. ɾΫϩεαΠτϦΫΤετϑΥʔδΣϦʢ$43'ʣ ɾΠϯδΣΫγϣϯ߈ܸ ɾσΟϨΫτϦτϥόʔαϧ ɾΫϩεαΠτεΫϦϓςΟϯάʢ944ʣ ɾΫϦοΫδϟοΩϯά ɾϝʔϧϔομʔΠϯδΣΫγϣϯ ߈ܸख๏ FUD

  4. ɾ8FC"QQMJDBUJPO'JSFXBMM 8"' ɾ4UBUJDDPEFBOBMZTJT ɾ$POUFOU4FDVSJUZ1PMJDZ $41 ɾใ঑ۚ ɾηΩϡϦςΟ؂ࠪ ߈ܸख๏ʹର͢ΔΞϓϩʔν

  5. ηΩϡϦςΟͱ͍ͬͯ΋Ұഋ͋ΔͷͰɺ

  6. ϚωʔδυΫϥ΢υͰ࣮૷ͨ͠
 ҎԼͷରࡦʹͭͳ͕ΔΞϓϩʔνͷҰͭΛ͓࿩͠͠·͢ w944
 8FCαΠτ΁ɺѱҙͷ͋ΔεΫϦϓτΛຒΊࠐΉ߈ܸख๏ wΠϯδΣΫγϣϯ߈ܸ
 ϓϩάϥϜ͕ແޮͳσʔλΛॲཧͨ͠৔߹ʹग़ݱ͢ΔόάΛɺ߈ܸऀ͕ѱ༻͠ෆਖ਼ͳ໋ྩΛ࣮ߦ͢Δ߈ܸख๏ wΫϦοΫδϟοΩϯά
 8FCϖʔδͷར༻ऀʹର͠ѱҙΛ΋ͬͯ࢖༻͞ΕΔٕज़ͷҰछͰɺϦϯΫ΍ϘλϯͳͲͷཁૉΛӅṭɾِ૷͠ ͯΫϦοΫΛ༠͍ɺར༻ऀͷҙਤ͠ͳ͍ಈ࡞Λͤ͞Α͏ͱ͢Δ߈ܸख๏

  7. $POUFOU4FDVSJUZ1PMJDZ

  8. $POUFOU4FDVSJUZ1PMJDZ $41 ͱ͸ɺΫϩ εαΠτεΫϦϓςΟϯά 944 ΍σʔλ Λࠩ͠ࠐΉ߈ܸͳͲͱ͍ͬͨɺಛఆͷछྨͷ ߈ܸΛݕ஌͠ɺӨڹΛܰݮ͢ΔͨΊʹ௥ՃͰ ͖ΔηΩϡϦςΟϨΠϠʔͰ͢ɻ .%/XFC%PDT


    IUUQTEFWFMPQFSNP[JMMBPSHKBEPDT8FC)551$41ɹɹ
  9. $41ͱ͸ ࣮ߦΛڐՄ͢ΔϦιʔεͷϦετΛઃఆ͠ɺ
 Ϧετʹؚ·Εͳ͍Ϧιʔε͸ϒϥ΢βଆͰ ϒϩοΫ͢Δ΋ͷ

  10. w*OMJOF4DSJQUͷ࣮ߦ w؅ཧऀͷҙਤ͠ͳ͍ϦιʔεͷಡΈࠐΈ
 ͳʹΛ๷͙͜ͱ͕Ͱ͖Δͷ͔ FWJMFYBNQMFDPNFWJM KT DEOFYBNQMFUFTUTBNQMFKT0, DEOFYBNQMFUFTUIPHFKQH0, FYBNQMFUFTUGVHBKT0, $41XIJUFMJTU ❌

    8FCαʔόʔ ѱҙͷ͋Δਓ
  11. None
  12. ϒϥ΢βରԠঢ়گ

  13. $41ͷར༻ྫ ɾ DEOFYBNQMFDPNͱ͍͏$%/͔Β+BWB4DSJQUΛಡΈࠐΉ͕ɺ
 ͦΕҎ֎͸ڐՄ͠ͳ͍ ɾ ಉҰυϝΠϯͷը૾Ҏ֎͸ಡΈࠐ·ͳ͍ ɾ εΫϦϓτΛ࣮ߦͤͨ͘͞ͳ͍ͷͰ࣮ߦͦͷ΋ͷΛશ໘తʹڋ൱͢Δ
 FUDʜ

  14. $41ಋೖͷσϝϦοτ w *&͸ରԠϒϥ΢βʹؚΊͳ͍΋ͷͱ͢Δඞཁ͕͋Δ w ӡ༻͕ͦͦ͜͜໘౗͍͘͞ w ϗϫΠτϦετͷߋ৽Λ͠ଓ͚Δඞཁ͕ग़ͯ͘Δ w ։ൃνʔϜ͸$POUFOU4FDVSJUZ1PMJDZΛৗʹߟྀͯ͠։ൃ͢Δඞཁ͕ग़ͯ͘Δ w

    ద੾ʹ؅ཧ͞Ε͍ͯͳ͚Ε͹ɺ944߈ܸͷର৅ʹͳΔ w ϒϥ΢β࣮૷ʹ͓͍ͯࠩҟ͕͋Δ w ಋೖޙɺ+BWB4DSJQUͷϥΠϒϥϦͳͲ͕Ұ෦ಈ͔ͳ͘ͳΔՄೳੑ΋ʜ
  15. ϙϦγʔͷछྨ σΟϨΫςΟϒ Өڹൣғ EFGBVMUTSD σϑΥϧτͰڐՄ͢Δઃఆ JNHTSD 'BWJDPO΍ը૾ TDSJQUTSD +BWB4DSJQUͷίʔυ PCKFDUTSD

    PCKFDUFNCFEBQQMFU NFEJBTSD WJEFPDBOWBT GPOUTSD !GPOUGBDF TUZMFTSD TUZMFDTT GSBNFTSD JGSBNF
  16. $41ͷઃఆํ๏ add_header Content-Security-Policy default-src ‘self’; αʔόଆͰϨεϙϯεϔομʹʮ$POUFOU4FDVSJUZ1PMJDZʯΛग़ྗ͢ΔઃఆΛ௥ه͢Δ NFUBλάʹIUUQFRVJWଐੑΛ࢖༻ͯ͠ઃఆ͢Δ͜ͱ΋ग़དྷ·͢ɻ

  17. ɾ֎෦ͷ+BWB4DSJQUͷಡΈࠐΈ ɾ)5.-ʹهड़ͨ͠TDSJQUTDSJQUͷ+BWB4DSJQU ɾΠϕϯτଐੑ POMPBEYYYYͳͲ ͜ͷઃఆʹΑΓҎԼ͕ېࢭ͞ΕΔ

  18. ݫ͗ͯ͢͠࢖͑ͳ͍

  19. )5.-ʹهड़ͨ͠TDSJQUϒϩοΫ͸࣮ߦ͞Εͳ͍ͷͰ֎෦ͷTDSJQUʹ੾Γग़͢ $41ͷઃఆํ๏ʢ(PPHMF"OBMZUJDTΛڐՄ͢Δ৔߹ʣ

  20. ੾Γग़ͨ͠TDSJQUΛHBKTͳͲͰอଘ )5.-ͷιʔεʹ֎෦εΫϦϓτͱͯ͠ಡΈࠐΉ $41ͷઃఆํ๏ʢ(PPHMF"OBMZUJDTΛڐՄ͢Δ৔߹ʣ

  21. add_header Content-Security-Policy default-src ‘none’; script-src ‘self’ www.google-analytics.com; img-src www.google-analytics.com; JavaScript͸શͯ*.jsϑΝΠϧʹهड़ͯ͠֎෦ͷscriptͱͯ͠ಡΈࠐΈɺ

    Մม͢Δ஋͸HTMLଆʹدͤΔͳͲίʔυͱσʔλΛ෼཭͢Δඞཁ͕͋Δ $41ͷઃఆํ๏ʢ(PPHMF"OBMZUJDTΛڐՄ͢Δ৔߹ʣ
  22. ͦͷଞͷઃఆํ๏ OPODF OPODFͷͳ͍TDSJQUλά͸࣮ߦ͠ͳ͍Α͏ʹ͢Δ͜ͱ͕Ͱ͖Δ // nonce-base64ͷ஋ 
 add_header Content-Security-Policy script-src ‘nonce-2726c7f26c’;

  23. ͦͷଞͷઃఆํ๏ IBTI 4)"ͰϋογϡԽͨ͠TDSJQUΛڐՄ͢Δ add_header Content-Security-Policy script-src ‘sha256-gPMJwWBMWDx0Cm7ZygJKZIU2vZpiYvzUQjl5Rh37hKs=';

  24. ࠔͬͨ࣌ͷઃఆํ๏ FWBMΛ࢖Θͳ͍ͱ͍͚ͳ͍৔߹ɺVOTBGFFWBMΦϓγϣϯΛ௥ه͢Δ add_header Content-Security-Policy script-src ‘unsafe-eval’; ΠϯϥΠϯཁૉΛ࢖Θͳ͍ͱ͍͚ͳ͍৔߹ɺVOTBGFJOMJOFΦϓγϣϯΛ௥ه͢Δ add_header Content-Security-Policy script-src

    ‘unsafe-inline’;
  25. Ϩϙʔτϩάͷૹ৴ SFQPSUVSJΦϓγϣϯΛ௥ه͢Δ͜ͱͰϨϙʔτΛ೚ҙͷ63-ʹKTPOͰ1045͢Δ͜ͱ͕Ͱ͖Δ add_header Content-Security-Policy default-src ‘self'; report-uri http://example.test/collector.js; +40/ܗࣜͰϨϙʔτ಺༰͕ҎԼͷΑ͏ͳ಺༰Ͱ1045͞ΕΔ

  26. ·ͱΊ w 8FCαΠτΛ҆શʹߏங͢Δͷ͸೉͍͠͠ɺ$41͕શͯΛղܾ͢Δ΋ͷͰ͸ͳ͍ w $41Λ༻͍࣮ͯߦΛڐՄ͢ΔϦιʔεΛద੾ʹઃఆ͢Δ͜ͱͰࠓΑΓ΋ηΩϡΞ
 ˠ$41ͷಋೖ࣌ɺ෭࣍తʹ)5.-ɺ+BWB4DSJQUɺ$44ͷ෼཭ʹͭͳ͕Δ w ֎෦ϦιʔεΛࢦఆ͢Δͱ͖VOTBGFJOMJOF VOTBGFFWBMΛ࢖͏΂͖͔͖ͪΜͱߟ͑Δ
 ˠ944͕੒ޭ͢ΔڪΕ͕͋ΔͨΊIBTI΍OPODFͷ׆༻Λݕ౼͢Δ

    w ϨϙʔτϩάͳͲΛऩूͯ͠߈ܸͷ܏޲΍ରࡦཱ͕ͯΒΕΔͱߋʹΑͦ͞͏
  27. ࢀߟࢿྉ w$POUFOU4FDVSJUZ1PMJDZ $41 )551c.%/
 IUUQTEFWFMPQFSNP[JMMBPSHKBEPDT8FC)551$41 w$POUFOU4FDVSJUZ1PMJDZ-FWFM
 IUUQTEFWFMPQFSNP[JMMBPSHKBEPDT8FC)551$41 wฐࣾͷϗʔϜϖʔδʹ$POUFOU4FDVSJUZ1PMJDZ $41 Λಋೖ͠·ͨ͠


    IUUQCMPHFHTFDVSFDPKQ$POUFOU4FDVSJUZ1PMJDZ$41IUNM
 )"4)ίϯαϧςΟϯάΦϑΟγϟϧϒϩά