Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Reconsider Content Security Policy for WEB Appl...
Search
sunecosuri
April 26, 2018
130
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Reconsider Content Security Policy for WEB Application
ContentSecurityPolicyの導入に際してまとめたものです
sunecosuri
April 26, 2018
More Decks by sunecosuri
See All by sunecosuri
New in Go 1.26 Implementing go fix in product development
sunecosuri
0
720
'Securing Web Apps with Modern Platform Features' を意訳してみる / Translate Securing Web Apps with Modern Platform Features
sunecosuri
2
390
Vue.js × TypeScript でclass style componentを廃止した話 / migrated-class-style-component -for-vuejs-and-typescrpit
sunecosuri
2
4.4k
Nuxt.js のbuid速度が早くなるオプションのいくつかについて / Increase-build-speed-for-Nuxt.js
sunecosuri
1
1.4k
about-vue-hooks.pdf
sunecosuri
1
780
Nuxt.js におけるCSPの連携について / content security policy for Nuxt.js
sunecosuri
0
2.6k
ロリポップマネージドクラウドでAlexaスキルを開発しよう / let's development alexa skill by lolipop managed cloud
sunecosuri
1
240
マネージドクラウドのリリース速度を上げるお話 / Increase release speed for managed cloud
sunecosuri
2
370
Featured
See All Featured
Into the Great Unknown - MozCon
thekraken
41
2.6k
Stop Working from a Prison Cell
hatefulcrawdad
274
21k
We Have a Design System, Now What?
morganepeng
55
8.2k
How People are Using Generative and Agentic AI to Supercharge Their Products, Projects, Services and Value Streams Today
helenjbeal
1
230
What does AI have to do with Human Rights?
axbom
PRO
1
2.2k
Design of three-dimensional binary manipulators for pick-and-place task avoiding obstacles (IECON2024)
konakalab
0
480
Claude Code どこまでも/ Claude Code Everywhere
nwiizo
65
56k
Pawsitive SEO: Lessons from My Dog (and Many Mistakes) on Thriving as a Consultant in the Age of AI
davidcarrasco
0
180
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
37
6.5k
Building Experiences: Design Systems, User Experience, and Full Site Editing
marktimemedia
0
550
GraphQLの誤解/rethinking-graphql
sonatard
75
12k
[RailsConf 2023] Rails as a piece of cake
palkan
59
6.7k
Transcript
໐ւ߂ً(.01FQBCP *OD ϗε5FDI.5( 8&#ΞϓϦέʔγϣϯͷ ϦιʔεཧͪΌΜͱΖ͏
ΤϯδχΞ ໐ւ߂ً!TVOFDPTVSJ ϗεςΟϯάࣄۀ෦ϗεςΟϯάάϧʔϓ ϚωʔδυΫϥυνʔϜ
ɾΫϩεαΠτϦΫΤετϑΥʔδΣϦʢ$43'ʣ ɾΠϯδΣΫγϣϯ߈ܸ ɾσΟϨΫτϦτϥόʔαϧ ɾΫϩεαΠτεΫϦϓςΟϯάʢ944ʣ ɾΫϦοΫδϟοΩϯά ɾϝʔϧϔομʔΠϯδΣΫγϣϯ ߈ܸख๏ FUD
ɾ8FC"QQMJDBUJPO'JSFXBMM 8"' ɾ4UBUJDDPEFBOBMZTJT ɾ$POUFOU4FDVSJUZ1PMJDZ $41 ɾใۚ ɾηΩϡϦςΟࠪ ߈ܸख๏ʹର͢ΔΞϓϩʔν
ηΩϡϦςΟͱ͍ͬͯҰഋ͋ΔͷͰɺ
ϚωʔδυΫϥυͰ࣮ͨ͠ ҎԼͷରࡦʹͭͳ͕ΔΞϓϩʔνͷҰͭΛ͓͠͠·͢ w944 8FCαΠτɺѱҙͷ͋ΔεΫϦϓτΛຒΊࠐΉ߈ܸख๏ wΠϯδΣΫγϣϯ߈ܸ ϓϩάϥϜ͕ແޮͳσʔλΛॲཧͨ͠߹ʹग़ݱ͢ΔόάΛɺ߈ܸऀ͕ѱ༻͠ෆਖ਼ͳ໋ྩΛ࣮ߦ͢Δ߈ܸख๏ wΫϦοΫδϟοΩϯά 8FCϖʔδͷར༻ऀʹର͠ѱҙΛͬͯ༻͞ΕΔٕज़ͷҰछͰɺϦϯΫϘλϯͳͲͷཁૉΛӅṭɾِ͠ ͯΫϦοΫΛ༠͍ɺར༻ऀͷҙਤ͠ͳ͍ಈ࡞Λͤ͞Α͏ͱ͢Δ߈ܸख๏
$POUFOU4FDVSJUZ1PMJDZ
$POUFOU4FDVSJUZ1PMJDZ $41 ͱɺΫϩ εαΠτεΫϦϓςΟϯά 944 σʔλ Λࠩ͠ࠐΉ߈ܸͳͲͱ͍ͬͨɺಛఆͷछྨͷ ߈ܸΛݕ͠ɺӨڹΛܰݮ͢ΔͨΊʹՃͰ ͖ΔηΩϡϦςΟϨΠϠʔͰ͢ɻ .%/XFC%PDT
IUUQTEFWFMPQFSNP[JMMBPSHKBEPDT8FC)551$41ɹɹ
$41ͱ ࣮ߦΛڐՄ͢ΔϦιʔεͷϦετΛઃఆ͠ɺ Ϧετʹؚ·Εͳ͍ϦιʔεϒϥβଆͰ ϒϩοΫ͢Δͷ
w*OMJOF4DSJQUͷ࣮ߦ wཧऀͷҙਤ͠ͳ͍ϦιʔεͷಡΈࠐΈ ͳʹΛ͙͜ͱ͕Ͱ͖Δͷ͔ FWJMFYBNQMFDPNFWJM KT DEOFYBNQMFUFTUTBNQMFKT0, DEOFYBNQMFUFTUIPHFKQH0, FYBNQMFUFTUGVHBKT0, $41XIJUFMJTU ❌
8FCαʔόʔ ѱҙͷ͋Δਓ
None
ϒϥβରԠঢ়گ
$41ͷར༻ྫ ɾ DEOFYBNQMFDPNͱ͍͏$%/͔Β+BWB4DSJQUΛಡΈࠐΉ͕ɺ ͦΕҎ֎ڐՄ͠ͳ͍ ɾ ಉҰυϝΠϯͷը૾Ҏ֎ಡΈࠐ·ͳ͍ ɾ εΫϦϓτΛ࣮ߦͤͨ͘͞ͳ͍ͷͰ࣮ߦͦͷͷΛશ໘తʹڋ൱͢Δ FUDʜ
$41ಋೖͷσϝϦοτ w *&ରԠϒϥβʹؚΊͳ͍ͷͱ͢Δඞཁ͕͋Δ w ӡ༻͕ͦͦ͜͜໘͍͘͞ w ϗϫΠτϦετͷߋ৽Λ͠ଓ͚Δඞཁ͕ग़ͯ͘Δ w ։ൃνʔϜ$POUFOU4FDVSJUZ1PMJDZΛৗʹߟྀͯ͠։ൃ͢Δඞཁ͕ग़ͯ͘Δ w
దʹཧ͞Ε͍ͯͳ͚Εɺ944߈ܸͷରʹͳΔ w ϒϥβ࣮ʹ͓͍ͯࠩҟ͕͋Δ w ಋೖޙɺ+BWB4DSJQUͷϥΠϒϥϦͳͲ͕Ұ෦ಈ͔ͳ͘ͳΔՄೳੑʜ
ϙϦγʔͷछྨ σΟϨΫςΟϒ Өڹൣғ EFGBVMUTSD σϑΥϧτͰڐՄ͢Δઃఆ JNHTSD 'BWJDPOը૾ TDSJQUTSD +BWB4DSJQUͷίʔυ PCKFDUTSD
PCKFDUFNCFEBQQMFU NFEJBTSD WJEFPDBOWBT GPOUTSD !GPOUGBDF TUZMFTSD TUZMFDTT GSBNFTSD JGSBNF
$41ͷઃఆํ๏ add_header Content-Security-Policy default-src ‘self’; αʔόଆͰϨεϙϯεϔομʹʮ$POUFOU4FDVSJUZ1PMJDZʯΛग़ྗ͢ΔઃఆΛه͢Δ NFUBλάʹIUUQFRVJWଐੑΛ༻ͯ͠ઃఆ͢Δ͜ͱग़དྷ·͢ɻ
ɾ֎෦ͷ+BWB4DSJQUͷಡΈࠐΈ ɾ)5.-ʹهड़ͨ͠TDSJQUTDSJQUͷ+BWB4DSJQU ɾΠϕϯτଐੑ POMPBEYYYYͳͲ ͜ͷઃఆʹΑΓҎԼ͕ېࢭ͞ΕΔ
ݫ͗ͯ͑͢͠ͳ͍
)5.-ʹهड़ͨ͠TDSJQUϒϩοΫ࣮ߦ͞Εͳ͍ͷͰ֎෦ͷTDSJQUʹΓग़͢ $41ͷઃఆํ๏ʢ(PPHMF"OBMZUJDTΛڐՄ͢Δ߹ʣ
Γग़ͨ͠TDSJQUΛHBKTͳͲͰอଘ )5.-ͷιʔεʹ֎෦εΫϦϓτͱͯ͠ಡΈࠐΉ $41ͷઃఆํ๏ʢ(PPHMF"OBMZUJDTΛڐՄ͢Δ߹ʣ
add_header Content-Security-Policy default-src ‘none’; script-src ‘self’ www.google-analytics.com; img-src www.google-analytics.com; JavaScriptશͯ*.jsϑΝΠϧʹهड़ͯ͠֎෦ͷscriptͱͯ͠ಡΈࠐΈɺ
Մม͢ΔHTMLଆʹدͤΔͳͲίʔυͱσʔλΛ͢Δඞཁ͕͋Δ $41ͷઃఆํ๏ʢ(PPHMF"OBMZUJDTΛڐՄ͢Δ߹ʣ
ͦͷଞͷઃఆํ๏ OPODF OPODFͷͳ͍TDSJQUλά࣮ߦ͠ͳ͍Α͏ʹ͢Δ͜ͱ͕Ͱ͖Δ // nonce-base64ͷ add_header Content-Security-Policy script-src ‘nonce-2726c7f26c’;
ͦͷଞͷઃఆํ๏ IBTI 4)"ͰϋογϡԽͨ͠TDSJQUΛڐՄ͢Δ add_header Content-Security-Policy script-src ‘sha256-gPMJwWBMWDx0Cm7ZygJKZIU2vZpiYvzUQjl5Rh37hKs=';
ࠔͬͨ࣌ͷઃఆํ๏ FWBMΛΘͳ͍ͱ͍͚ͳ͍߹ɺVOTBGFFWBMΦϓγϣϯΛه͢Δ add_header Content-Security-Policy script-src ‘unsafe-eval’; ΠϯϥΠϯཁૉΛΘͳ͍ͱ͍͚ͳ͍߹ɺVOTBGFJOMJOFΦϓγϣϯΛه͢Δ add_header Content-Security-Policy script-src
‘unsafe-inline’;
Ϩϙʔτϩάͷૹ৴ SFQPSUVSJΦϓγϣϯΛه͢Δ͜ͱͰϨϙʔτΛҙͷ63-ʹKTPOͰ1045͢Δ͜ͱ͕Ͱ͖Δ add_header Content-Security-Policy default-src ‘self'; report-uri http://example.test/collector.js; +40/ܗࣜͰϨϙʔτ༰͕ҎԼͷΑ͏ͳ༰Ͱ1045͞ΕΔ
·ͱΊ w 8FCαΠτΛ҆શʹߏங͢Δͷ͍͠͠ɺ$41͕શͯΛղܾ͢ΔͷͰͳ͍ w $41Λ༻͍࣮ͯߦΛڐՄ͢ΔϦιʔεΛదʹઃఆ͢Δ͜ͱͰࠓΑΓηΩϡΞ ˠ$41ͷಋೖ࣌ɺ෭࣍తʹ)5.-ɺ+BWB4DSJQUɺ$44ͷʹͭͳ͕Δ w ֎෦ϦιʔεΛࢦఆ͢Δͱ͖VOTBGFJOMJOF VOTBGFFWBMΛ͏͖͔͖ͪΜͱߟ͑Δ ˠ944͕ޭ͢ΔڪΕ͕͋ΔͨΊIBTIOPODFͷ׆༻Λݕ౼͢Δ
w ϨϙʔτϩάͳͲΛऩूͯ͠߈ܸͷରࡦཱ͕ͯΒΕΔͱߋʹΑͦ͞͏
ࢀߟࢿྉ w$POUFOU4FDVSJUZ1PMJDZ $41 )551c.%/ IUUQTEFWFMPQFSNP[JMMBPSHKBEPDT8FC)551$41 w$POUFOU4FDVSJUZ1PMJDZ-FWFM IUUQTEFWFMPQFSNP[JMMBPSHKBEPDT8FC)551$41 wฐࣾͷϗʔϜϖʔδʹ$POUFOU4FDVSJUZ1PMJDZ $41 Λಋೖ͠·ͨ͠
IUUQCMPHFHTFDVSFDPKQ$POUFOU4FDVSJUZ1PMJDZ$41IUNM )"4)ίϯαϧςΟϯάΦϑΟγϟϧϒϩά