Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Reconsider Content Security Policy for WEB Application
Search
sunecosuri
April 26, 2018
0
80
Reconsider Content Security Policy for WEB Application
ContentSecurityPolicyの導入に際してまとめたものです
sunecosuri
April 26, 2018
Tweet
Share
More Decks by sunecosuri
See All by sunecosuri
'Securing Web Apps with Modern Platform Features' を意訳してみる / Translate Securing Web Apps with Modern Platform Features
sunecosuri
2
300
Vue.js × TypeScript でclass style componentを廃止した話 / migrated-class-style-component -for-vuejs-and-typescrpit
sunecosuri
2
4.1k
Nuxt.js のbuid速度が早くなるオプションのいくつかについて / Increase-build-speed-for-Nuxt.js
sunecosuri
1
1.2k
about-vue-hooks.pdf
sunecosuri
1
630
スーパーエンジニアを「育て」られるか? / how-to-let-an-engineer-to-grow-up-into-a-hacker
sunecosuri
0
1.2k
Nuxt.js におけるCSPの連携について / content security policy for Nuxt.js
sunecosuri
0
2.1k
ロリポップマネージドクラウドでAlexaスキルを開発しよう / let's development alexa skill by lolipop managed cloud
sunecosuri
1
150
マネージドクラウドのリリース速度を上げるお話 / Increase release speed for managed cloud
sunecosuri
2
290
Featured
See All Featured
Side Projects
sachag
451
41k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
21
1.6k
Bootstrapping a Software Product
garrettdimon
PRO
302
110k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
8
3.4k
What's new in Ruby 2.0
geeforr
337
31k
Infographics Made Easy
chrislema
238
18k
Writing Fast Ruby
sferik
622
60k
Documentation Writing (for coders)
carmenintech
60
4k
It's Worth the Effort
3n
180
27k
Making Projects Easy
brettharned
109
5.5k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
126
32k
Practical Orchestrator
shlominoach
183
9.7k
Transcript
໐ւ߂ً(.01FQBCP *OD ϗε5FDI.5( 8&#ΞϓϦέʔγϣϯͷ ϦιʔεཧͪΌΜͱΖ͏
ΤϯδχΞ ໐ւ߂ً!TVOFDPTVSJ ϗεςΟϯάࣄۀ෦ϗεςΟϯάάϧʔϓ ϚωʔδυΫϥυνʔϜ
ɾΫϩεαΠτϦΫΤετϑΥʔδΣϦʢ$43'ʣ ɾΠϯδΣΫγϣϯ߈ܸ ɾσΟϨΫτϦτϥόʔαϧ ɾΫϩεαΠτεΫϦϓςΟϯάʢ944ʣ ɾΫϦοΫδϟοΩϯά ɾϝʔϧϔομʔΠϯδΣΫγϣϯ ߈ܸख๏ FUD
ɾ8FC"QQMJDBUJPO'JSFXBMM 8"' ɾ4UBUJDDPEFBOBMZTJT ɾ$POUFOU4FDVSJUZ1PMJDZ $41 ɾใۚ ɾηΩϡϦςΟࠪ ߈ܸख๏ʹର͢ΔΞϓϩʔν
ηΩϡϦςΟͱ͍ͬͯҰഋ͋ΔͷͰɺ
ϚωʔδυΫϥυͰ࣮ͨ͠ ҎԼͷରࡦʹͭͳ͕ΔΞϓϩʔνͷҰͭΛ͓͠͠·͢ w944 8FCαΠτɺѱҙͷ͋ΔεΫϦϓτΛຒΊࠐΉ߈ܸख๏ wΠϯδΣΫγϣϯ߈ܸ ϓϩάϥϜ͕ແޮͳσʔλΛॲཧͨ͠߹ʹग़ݱ͢ΔόάΛɺ߈ܸऀ͕ѱ༻͠ෆਖ਼ͳ໋ྩΛ࣮ߦ͢Δ߈ܸख๏ wΫϦοΫδϟοΩϯά 8FCϖʔδͷར༻ऀʹର͠ѱҙΛͬͯ༻͞ΕΔٕज़ͷҰछͰɺϦϯΫϘλϯͳͲͷཁૉΛӅṭɾِ͠ ͯΫϦοΫΛ༠͍ɺར༻ऀͷҙਤ͠ͳ͍ಈ࡞Λͤ͞Α͏ͱ͢Δ߈ܸख๏
$POUFOU4FDVSJUZ1PMJDZ
$POUFOU4FDVSJUZ1PMJDZ $41 ͱɺΫϩ εαΠτεΫϦϓςΟϯά 944 σʔλ Λࠩ͠ࠐΉ߈ܸͳͲͱ͍ͬͨɺಛఆͷछྨͷ ߈ܸΛݕ͠ɺӨڹΛܰݮ͢ΔͨΊʹՃͰ ͖ΔηΩϡϦςΟϨΠϠʔͰ͢ɻ .%/XFC%PDT
IUUQTEFWFMPQFSNP[JMMBPSHKBEPDT8FC)551$41ɹɹ
$41ͱ ࣮ߦΛڐՄ͢ΔϦιʔεͷϦετΛઃఆ͠ɺ Ϧετʹؚ·Εͳ͍ϦιʔεϒϥβଆͰ ϒϩοΫ͢Δͷ
w*OMJOF4DSJQUͷ࣮ߦ wཧऀͷҙਤ͠ͳ͍ϦιʔεͷಡΈࠐΈ ͳʹΛ͙͜ͱ͕Ͱ͖Δͷ͔ FWJMFYBNQMFDPNFWJM KT DEOFYBNQMFUFTUTBNQMFKT0, DEOFYBNQMFUFTUIPHFKQH0, FYBNQMFUFTUGVHBKT0, $41XIJUFMJTU ❌
8FCαʔόʔ ѱҙͷ͋Δਓ
None
ϒϥβରԠঢ়گ
$41ͷར༻ྫ ɾ DEOFYBNQMFDPNͱ͍͏$%/͔Β+BWB4DSJQUΛಡΈࠐΉ͕ɺ ͦΕҎ֎ڐՄ͠ͳ͍ ɾ ಉҰυϝΠϯͷը૾Ҏ֎ಡΈࠐ·ͳ͍ ɾ εΫϦϓτΛ࣮ߦͤͨ͘͞ͳ͍ͷͰ࣮ߦͦͷͷΛશ໘తʹڋ൱͢Δ FUDʜ
$41ಋೖͷσϝϦοτ w *&ରԠϒϥβʹؚΊͳ͍ͷͱ͢Δඞཁ͕͋Δ w ӡ༻͕ͦͦ͜͜໘͍͘͞ w ϗϫΠτϦετͷߋ৽Λ͠ଓ͚Δඞཁ͕ग़ͯ͘Δ w ։ൃνʔϜ$POUFOU4FDVSJUZ1PMJDZΛৗʹߟྀͯ͠։ൃ͢Δඞཁ͕ग़ͯ͘Δ w
దʹཧ͞Ε͍ͯͳ͚Εɺ944߈ܸͷରʹͳΔ w ϒϥβ࣮ʹ͓͍ͯࠩҟ͕͋Δ w ಋೖޙɺ+BWB4DSJQUͷϥΠϒϥϦͳͲ͕Ұ෦ಈ͔ͳ͘ͳΔՄೳੑʜ
ϙϦγʔͷछྨ σΟϨΫςΟϒ Өڹൣғ EFGBVMUTSD σϑΥϧτͰڐՄ͢Δઃఆ JNHTSD 'BWJDPOը૾ TDSJQUTSD +BWB4DSJQUͷίʔυ PCKFDUTSD
PCKFDUFNCFEBQQMFU NFEJBTSD WJEFPDBOWBT GPOUTSD !GPOUGBDF TUZMFTSD TUZMFDTT GSBNFTSD JGSBNF
$41ͷઃఆํ๏ add_header Content-Security-Policy default-src ‘self’; αʔόଆͰϨεϙϯεϔομʹʮ$POUFOU4FDVSJUZ1PMJDZʯΛग़ྗ͢ΔઃఆΛه͢Δ NFUBλάʹIUUQFRVJWଐੑΛ༻ͯ͠ઃఆ͢Δ͜ͱग़དྷ·͢ɻ
ɾ֎෦ͷ+BWB4DSJQUͷಡΈࠐΈ ɾ)5.-ʹهड़ͨ͠TDSJQUTDSJQUͷ+BWB4DSJQU ɾΠϕϯτଐੑ POMPBEYYYYͳͲ ͜ͷઃఆʹΑΓҎԼ͕ېࢭ͞ΕΔ
ݫ͗ͯ͑͢͠ͳ͍
)5.-ʹهड़ͨ͠TDSJQUϒϩοΫ࣮ߦ͞Εͳ͍ͷͰ֎෦ͷTDSJQUʹΓग़͢ $41ͷઃఆํ๏ʢ(PPHMF"OBMZUJDTΛڐՄ͢Δ߹ʣ
Γग़ͨ͠TDSJQUΛHBKTͳͲͰอଘ )5.-ͷιʔεʹ֎෦εΫϦϓτͱͯ͠ಡΈࠐΉ $41ͷઃఆํ๏ʢ(PPHMF"OBMZUJDTΛڐՄ͢Δ߹ʣ
add_header Content-Security-Policy default-src ‘none’; script-src ‘self’ www.google-analytics.com; img-src www.google-analytics.com; JavaScriptશͯ*.jsϑΝΠϧʹهड़ͯ͠֎෦ͷscriptͱͯ͠ಡΈࠐΈɺ
Մม͢ΔHTMLଆʹدͤΔͳͲίʔυͱσʔλΛ͢Δඞཁ͕͋Δ $41ͷઃఆํ๏ʢ(PPHMF"OBMZUJDTΛڐՄ͢Δ߹ʣ
ͦͷଞͷઃఆํ๏ OPODF OPODFͷͳ͍TDSJQUλά࣮ߦ͠ͳ͍Α͏ʹ͢Δ͜ͱ͕Ͱ͖Δ // nonce-base64ͷ add_header Content-Security-Policy script-src ‘nonce-2726c7f26c’;
ͦͷଞͷઃఆํ๏ IBTI 4)"ͰϋογϡԽͨ͠TDSJQUΛڐՄ͢Δ add_header Content-Security-Policy script-src ‘sha256-gPMJwWBMWDx0Cm7ZygJKZIU2vZpiYvzUQjl5Rh37hKs=';
ࠔͬͨ࣌ͷઃఆํ๏ FWBMΛΘͳ͍ͱ͍͚ͳ͍߹ɺVOTBGFFWBMΦϓγϣϯΛه͢Δ add_header Content-Security-Policy script-src ‘unsafe-eval’; ΠϯϥΠϯཁૉΛΘͳ͍ͱ͍͚ͳ͍߹ɺVOTBGFJOMJOFΦϓγϣϯΛه͢Δ add_header Content-Security-Policy script-src
‘unsafe-inline’;
Ϩϙʔτϩάͷૹ৴ SFQPSUVSJΦϓγϣϯΛه͢Δ͜ͱͰϨϙʔτΛҙͷ63-ʹKTPOͰ1045͢Δ͜ͱ͕Ͱ͖Δ add_header Content-Security-Policy default-src ‘self'; report-uri http://example.test/collector.js; +40/ܗࣜͰϨϙʔτ༰͕ҎԼͷΑ͏ͳ༰Ͱ1045͞ΕΔ
·ͱΊ w 8FCαΠτΛ҆શʹߏங͢Δͷ͍͠͠ɺ$41͕શͯΛղܾ͢ΔͷͰͳ͍ w $41Λ༻͍࣮ͯߦΛڐՄ͢ΔϦιʔεΛదʹઃఆ͢Δ͜ͱͰࠓΑΓηΩϡΞ ˠ$41ͷಋೖ࣌ɺ෭࣍తʹ)5.-ɺ+BWB4DSJQUɺ$44ͷʹͭͳ͕Δ w ֎෦ϦιʔεΛࢦఆ͢Δͱ͖VOTBGFJOMJOF VOTBGFFWBMΛ͏͖͔͖ͪΜͱߟ͑Δ ˠ944͕ޭ͢ΔڪΕ͕͋ΔͨΊIBTIOPODFͷ׆༻Λݕ౼͢Δ
w ϨϙʔτϩάͳͲΛऩूͯ͠߈ܸͷରࡦཱ͕ͯΒΕΔͱߋʹΑͦ͞͏
ࢀߟࢿྉ w$POUFOU4FDVSJUZ1PMJDZ $41 )551c.%/ IUUQTEFWFMPQFSNP[JMMBPSHKBEPDT8FC)551$41 w$POUFOU4FDVSJUZ1PMJDZ-FWFM IUUQTEFWFMPQFSNP[JMMBPSHKBEPDT8FC)551$41 wฐࣾͷϗʔϜϖʔδʹ$POUFOU4FDVSJUZ1PMJDZ $41 Λಋೖ͠·ͨ͠
IUUQCMPHFHTFDVSFDPKQ$POUFOU4FDVSJUZ1PMJDZ$41IUNM )"4)ίϯαϧςΟϯάΦϑΟγϟϧϒϩά