Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Reconsider Content Security Policy for WEB Appl...
Search
sunecosuri
April 26, 2018
0
100
Reconsider Content Security Policy for WEB Application
ContentSecurityPolicyの導入に際してまとめたものです
sunecosuri
April 26, 2018
Tweet
Share
More Decks by sunecosuri
See All by sunecosuri
'Securing Web Apps with Modern Platform Features' を意訳してみる / Translate Securing Web Apps with Modern Platform Features
sunecosuri
2
360
Vue.js × TypeScript でclass style componentを廃止した話 / migrated-class-style-component -for-vuejs-and-typescrpit
sunecosuri
2
4.3k
Nuxt.js のbuid速度が早くなるオプションのいくつかについて / Increase-build-speed-for-Nuxt.js
sunecosuri
1
1.4k
about-vue-hooks.pdf
sunecosuri
1
730
Nuxt.js におけるCSPの連携について / content security policy for Nuxt.js
sunecosuri
0
2.5k
ロリポップマネージドクラウドでAlexaスキルを開発しよう / let's development alexa skill by lolipop managed cloud
sunecosuri
1
220
マネージドクラウドのリリース速度を上げるお話 / Increase release speed for managed cloud
sunecosuri
2
330
Featured
See All Featured
The Language of Interfaces
destraynor
160
25k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
32
1.4k
Making the Leap to Tech Lead
cromwellryan
134
9.5k
Into the Great Unknown - MozCon
thekraken
40
2k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
31
2.2k
Imperfection Machines: The Place of Print at Facebook
scottboms
268
13k
Git: the NoSQL Database
bkeepers
PRO
431
65k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
48
9.7k
A designer walks into a library…
pauljervisheath
207
24k
Testing 201, or: Great Expectations
jmmastey
45
7.6k
Building Better People: How to give real-time feedback that sticks.
wjessup
367
19k
A better future with KSS
kneath
239
17k
Transcript
໐ւ߂ً(.01FQBCP *OD ϗε5FDI.5( 8&#ΞϓϦέʔγϣϯͷ ϦιʔεཧͪΌΜͱΖ͏
ΤϯδχΞ ໐ւ߂ً!TVOFDPTVSJ ϗεςΟϯάࣄۀ෦ϗεςΟϯάάϧʔϓ ϚωʔδυΫϥυνʔϜ
ɾΫϩεαΠτϦΫΤετϑΥʔδΣϦʢ$43'ʣ ɾΠϯδΣΫγϣϯ߈ܸ ɾσΟϨΫτϦτϥόʔαϧ ɾΫϩεαΠτεΫϦϓςΟϯάʢ944ʣ ɾΫϦοΫδϟοΩϯά ɾϝʔϧϔομʔΠϯδΣΫγϣϯ ߈ܸख๏ FUD
ɾ8FC"QQMJDBUJPO'JSFXBMM 8"' ɾ4UBUJDDPEFBOBMZTJT ɾ$POUFOU4FDVSJUZ1PMJDZ $41 ɾใۚ ɾηΩϡϦςΟࠪ ߈ܸख๏ʹର͢ΔΞϓϩʔν
ηΩϡϦςΟͱ͍ͬͯҰഋ͋ΔͷͰɺ
ϚωʔδυΫϥυͰ࣮ͨ͠ ҎԼͷରࡦʹͭͳ͕ΔΞϓϩʔνͷҰͭΛ͓͠͠·͢ w944 8FCαΠτɺѱҙͷ͋ΔεΫϦϓτΛຒΊࠐΉ߈ܸख๏ wΠϯδΣΫγϣϯ߈ܸ ϓϩάϥϜ͕ແޮͳσʔλΛॲཧͨ͠߹ʹग़ݱ͢ΔόάΛɺ߈ܸऀ͕ѱ༻͠ෆਖ਼ͳ໋ྩΛ࣮ߦ͢Δ߈ܸख๏ wΫϦοΫδϟοΩϯά 8FCϖʔδͷར༻ऀʹର͠ѱҙΛͬͯ༻͞ΕΔٕज़ͷҰछͰɺϦϯΫϘλϯͳͲͷཁૉΛӅṭɾِ͠ ͯΫϦοΫΛ༠͍ɺར༻ऀͷҙਤ͠ͳ͍ಈ࡞Λͤ͞Α͏ͱ͢Δ߈ܸख๏
$POUFOU4FDVSJUZ1PMJDZ
$POUFOU4FDVSJUZ1PMJDZ $41 ͱɺΫϩ εαΠτεΫϦϓςΟϯά 944 σʔλ Λࠩ͠ࠐΉ߈ܸͳͲͱ͍ͬͨɺಛఆͷछྨͷ ߈ܸΛݕ͠ɺӨڹΛܰݮ͢ΔͨΊʹՃͰ ͖ΔηΩϡϦςΟϨΠϠʔͰ͢ɻ .%/XFC%PDT
IUUQTEFWFMPQFSNP[JMMBPSHKBEPDT8FC)551$41ɹɹ
$41ͱ ࣮ߦΛڐՄ͢ΔϦιʔεͷϦετΛઃఆ͠ɺ Ϧετʹؚ·Εͳ͍ϦιʔεϒϥβଆͰ ϒϩοΫ͢Δͷ
w*OMJOF4DSJQUͷ࣮ߦ wཧऀͷҙਤ͠ͳ͍ϦιʔεͷಡΈࠐΈ ͳʹΛ͙͜ͱ͕Ͱ͖Δͷ͔ FWJMFYBNQMFDPNFWJM KT DEOFYBNQMFUFTUTBNQMFKT0, DEOFYBNQMFUFTUIPHFKQH0, FYBNQMFUFTUGVHBKT0, $41XIJUFMJTU ❌
8FCαʔόʔ ѱҙͷ͋Δਓ
None
ϒϥβରԠঢ়گ
$41ͷར༻ྫ ɾ DEOFYBNQMFDPNͱ͍͏$%/͔Β+BWB4DSJQUΛಡΈࠐΉ͕ɺ ͦΕҎ֎ڐՄ͠ͳ͍ ɾ ಉҰυϝΠϯͷը૾Ҏ֎ಡΈࠐ·ͳ͍ ɾ εΫϦϓτΛ࣮ߦͤͨ͘͞ͳ͍ͷͰ࣮ߦͦͷͷΛશ໘తʹڋ൱͢Δ FUDʜ
$41ಋೖͷσϝϦοτ w *&ରԠϒϥβʹؚΊͳ͍ͷͱ͢Δඞཁ͕͋Δ w ӡ༻͕ͦͦ͜͜໘͍͘͞ w ϗϫΠτϦετͷߋ৽Λ͠ଓ͚Δඞཁ͕ग़ͯ͘Δ w ։ൃνʔϜ$POUFOU4FDVSJUZ1PMJDZΛৗʹߟྀͯ͠։ൃ͢Δඞཁ͕ग़ͯ͘Δ w
దʹཧ͞Ε͍ͯͳ͚Εɺ944߈ܸͷରʹͳΔ w ϒϥβ࣮ʹ͓͍ͯࠩҟ͕͋Δ w ಋೖޙɺ+BWB4DSJQUͷϥΠϒϥϦͳͲ͕Ұ෦ಈ͔ͳ͘ͳΔՄೳੑʜ
ϙϦγʔͷछྨ σΟϨΫςΟϒ Өڹൣғ EFGBVMUTSD σϑΥϧτͰڐՄ͢Δઃఆ JNHTSD 'BWJDPOը૾ TDSJQUTSD +BWB4DSJQUͷίʔυ PCKFDUTSD
PCKFDUFNCFEBQQMFU NFEJBTSD WJEFPDBOWBT GPOUTSD !GPOUGBDF TUZMFTSD TUZMFDTT GSBNFTSD JGSBNF
$41ͷઃఆํ๏ add_header Content-Security-Policy default-src ‘self’; αʔόଆͰϨεϙϯεϔομʹʮ$POUFOU4FDVSJUZ1PMJDZʯΛग़ྗ͢ΔઃఆΛه͢Δ NFUBλάʹIUUQFRVJWଐੑΛ༻ͯ͠ઃఆ͢Δ͜ͱग़དྷ·͢ɻ
ɾ֎෦ͷ+BWB4DSJQUͷಡΈࠐΈ ɾ)5.-ʹهड़ͨ͠TDSJQUTDSJQUͷ+BWB4DSJQU ɾΠϕϯτଐੑ POMPBEYYYYͳͲ ͜ͷઃఆʹΑΓҎԼ͕ېࢭ͞ΕΔ
ݫ͗ͯ͑͢͠ͳ͍
)5.-ʹهड़ͨ͠TDSJQUϒϩοΫ࣮ߦ͞Εͳ͍ͷͰ֎෦ͷTDSJQUʹΓग़͢ $41ͷઃఆํ๏ʢ(PPHMF"OBMZUJDTΛڐՄ͢Δ߹ʣ
Γग़ͨ͠TDSJQUΛHBKTͳͲͰอଘ )5.-ͷιʔεʹ֎෦εΫϦϓτͱͯ͠ಡΈࠐΉ $41ͷઃఆํ๏ʢ(PPHMF"OBMZUJDTΛڐՄ͢Δ߹ʣ
add_header Content-Security-Policy default-src ‘none’; script-src ‘self’ www.google-analytics.com; img-src www.google-analytics.com; JavaScriptશͯ*.jsϑΝΠϧʹهड़ͯ͠֎෦ͷscriptͱͯ͠ಡΈࠐΈɺ
Մม͢ΔHTMLଆʹدͤΔͳͲίʔυͱσʔλΛ͢Δඞཁ͕͋Δ $41ͷઃఆํ๏ʢ(PPHMF"OBMZUJDTΛڐՄ͢Δ߹ʣ
ͦͷଞͷઃఆํ๏ OPODF OPODFͷͳ͍TDSJQUλά࣮ߦ͠ͳ͍Α͏ʹ͢Δ͜ͱ͕Ͱ͖Δ // nonce-base64ͷ add_header Content-Security-Policy script-src ‘nonce-2726c7f26c’;
ͦͷଞͷઃఆํ๏ IBTI 4)"ͰϋογϡԽͨ͠TDSJQUΛڐՄ͢Δ add_header Content-Security-Policy script-src ‘sha256-gPMJwWBMWDx0Cm7ZygJKZIU2vZpiYvzUQjl5Rh37hKs=';
ࠔͬͨ࣌ͷઃఆํ๏ FWBMΛΘͳ͍ͱ͍͚ͳ͍߹ɺVOTBGFFWBMΦϓγϣϯΛه͢Δ add_header Content-Security-Policy script-src ‘unsafe-eval’; ΠϯϥΠϯཁૉΛΘͳ͍ͱ͍͚ͳ͍߹ɺVOTBGFJOMJOFΦϓγϣϯΛه͢Δ add_header Content-Security-Policy script-src
‘unsafe-inline’;
Ϩϙʔτϩάͷૹ৴ SFQPSUVSJΦϓγϣϯΛه͢Δ͜ͱͰϨϙʔτΛҙͷ63-ʹKTPOͰ1045͢Δ͜ͱ͕Ͱ͖Δ add_header Content-Security-Policy default-src ‘self'; report-uri http://example.test/collector.js; +40/ܗࣜͰϨϙʔτ༰͕ҎԼͷΑ͏ͳ༰Ͱ1045͞ΕΔ
·ͱΊ w 8FCαΠτΛ҆શʹߏங͢Δͷ͍͠͠ɺ$41͕શͯΛղܾ͢ΔͷͰͳ͍ w $41Λ༻͍࣮ͯߦΛڐՄ͢ΔϦιʔεΛదʹઃఆ͢Δ͜ͱͰࠓΑΓηΩϡΞ ˠ$41ͷಋೖ࣌ɺ෭࣍తʹ)5.-ɺ+BWB4DSJQUɺ$44ͷʹͭͳ͕Δ w ֎෦ϦιʔεΛࢦఆ͢Δͱ͖VOTBGFJOMJOF VOTBGFFWBMΛ͏͖͔͖ͪΜͱߟ͑Δ ˠ944͕ޭ͢ΔڪΕ͕͋ΔͨΊIBTIOPODFͷ׆༻Λݕ౼͢Δ
w ϨϙʔτϩάͳͲΛऩूͯ͠߈ܸͷରࡦཱ͕ͯΒΕΔͱߋʹΑͦ͞͏
ࢀߟࢿྉ w$POUFOU4FDVSJUZ1PMJDZ $41 )551c.%/ IUUQTEFWFMPQFSNP[JMMBPSHKBEPDT8FC)551$41 w$POUFOU4FDVSJUZ1PMJDZ-FWFM IUUQTEFWFMPQFSNP[JMMBPSHKBEPDT8FC)551$41 wฐࣾͷϗʔϜϖʔδʹ$POUFOU4FDVSJUZ1PMJDZ $41 Λಋೖ͠·ͨ͠
IUUQCMPHFHTFDVSFDPKQ$POUFOU4FDVSJUZ1PMJDZ$41IUNM )"4)ίϯαϧςΟϯάΦϑΟγϟϧϒϩά