Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Reconsider Content Security Policy for WEB Appl...
Search
sunecosuri
April 26, 2018
0
100
Reconsider Content Security Policy for WEB Application
ContentSecurityPolicyの導入に際してまとめたものです
sunecosuri
April 26, 2018
Tweet
Share
More Decks by sunecosuri
See All by sunecosuri
'Securing Web Apps with Modern Platform Features' を意訳してみる / Translate Securing Web Apps with Modern Platform Features
sunecosuri
2
360
Vue.js × TypeScript でclass style componentを廃止した話 / migrated-class-style-component -for-vuejs-and-typescrpit
sunecosuri
2
4.4k
Nuxt.js のbuid速度が早くなるオプションのいくつかについて / Increase-build-speed-for-Nuxt.js
sunecosuri
1
1.4k
about-vue-hooks.pdf
sunecosuri
1
730
Nuxt.js におけるCSPの連携について / content security policy for Nuxt.js
sunecosuri
0
2.5k
ロリポップマネージドクラウドでAlexaスキルを開発しよう / let's development alexa skill by lolipop managed cloud
sunecosuri
1
220
マネージドクラウドのリリース速度を上げるお話 / Increase release speed for managed cloud
sunecosuri
2
330
Featured
See All Featured
Automating Front-end Workflow
addyosmani
1371
200k
YesSQL, Process and Tooling at Scale
rocio
173
14k
The World Runs on Bad Software
bkeepers
PRO
71
11k
StorybookのUI Testing Handbookを読んだ
zakiyama
31
6.2k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
33
2.5k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
32
2.2k
Agile that works and the tools we love
rasmusluckow
331
21k
Making the Leap to Tech Lead
cromwellryan
135
9.5k
Writing Fast Ruby
sferik
629
62k
Build The Right Thing And Hit Your Dates
maggiecrowley
37
2.9k
Speed Design
sergeychernyshev
32
1.1k
VelocityConf: Rendering Performance Case Studies
addyosmani
332
24k
Transcript
໐ւ߂ً(.01FQBCP *OD ϗε5FDI.5( 8&#ΞϓϦέʔγϣϯͷ ϦιʔεཧͪΌΜͱΖ͏
ΤϯδχΞ ໐ւ߂ً!TVOFDPTVSJ ϗεςΟϯάࣄۀ෦ϗεςΟϯάάϧʔϓ ϚωʔδυΫϥυνʔϜ
ɾΫϩεαΠτϦΫΤετϑΥʔδΣϦʢ$43'ʣ ɾΠϯδΣΫγϣϯ߈ܸ ɾσΟϨΫτϦτϥόʔαϧ ɾΫϩεαΠτεΫϦϓςΟϯάʢ944ʣ ɾΫϦοΫδϟοΩϯά ɾϝʔϧϔομʔΠϯδΣΫγϣϯ ߈ܸख๏ FUD
ɾ8FC"QQMJDBUJPO'JSFXBMM 8"' ɾ4UBUJDDPEFBOBMZTJT ɾ$POUFOU4FDVSJUZ1PMJDZ $41 ɾใۚ ɾηΩϡϦςΟࠪ ߈ܸख๏ʹର͢ΔΞϓϩʔν
ηΩϡϦςΟͱ͍ͬͯҰഋ͋ΔͷͰɺ
ϚωʔδυΫϥυͰ࣮ͨ͠ ҎԼͷରࡦʹͭͳ͕ΔΞϓϩʔνͷҰͭΛ͓͠͠·͢ w944 8FCαΠτɺѱҙͷ͋ΔεΫϦϓτΛຒΊࠐΉ߈ܸख๏ wΠϯδΣΫγϣϯ߈ܸ ϓϩάϥϜ͕ແޮͳσʔλΛॲཧͨ͠߹ʹग़ݱ͢ΔόάΛɺ߈ܸऀ͕ѱ༻͠ෆਖ਼ͳ໋ྩΛ࣮ߦ͢Δ߈ܸख๏ wΫϦοΫδϟοΩϯά 8FCϖʔδͷར༻ऀʹର͠ѱҙΛͬͯ༻͞ΕΔٕज़ͷҰछͰɺϦϯΫϘλϯͳͲͷཁૉΛӅṭɾِ͠ ͯΫϦοΫΛ༠͍ɺར༻ऀͷҙਤ͠ͳ͍ಈ࡞Λͤ͞Α͏ͱ͢Δ߈ܸख๏
$POUFOU4FDVSJUZ1PMJDZ
$POUFOU4FDVSJUZ1PMJDZ $41 ͱɺΫϩ εαΠτεΫϦϓςΟϯά 944 σʔλ Λࠩ͠ࠐΉ߈ܸͳͲͱ͍ͬͨɺಛఆͷछྨͷ ߈ܸΛݕ͠ɺӨڹΛܰݮ͢ΔͨΊʹՃͰ ͖ΔηΩϡϦςΟϨΠϠʔͰ͢ɻ .%/XFC%PDT
IUUQTEFWFMPQFSNP[JMMBPSHKBEPDT8FC)551$41ɹɹ
$41ͱ ࣮ߦΛڐՄ͢ΔϦιʔεͷϦετΛઃఆ͠ɺ Ϧετʹؚ·Εͳ͍ϦιʔεϒϥβଆͰ ϒϩοΫ͢Δͷ
w*OMJOF4DSJQUͷ࣮ߦ wཧऀͷҙਤ͠ͳ͍ϦιʔεͷಡΈࠐΈ ͳʹΛ͙͜ͱ͕Ͱ͖Δͷ͔ FWJMFYBNQMFDPNFWJM KT DEOFYBNQMFUFTUTBNQMFKT0, DEOFYBNQMFUFTUIPHFKQH0, FYBNQMFUFTUGVHBKT0, $41XIJUFMJTU ❌
8FCαʔόʔ ѱҙͷ͋Δਓ
None
ϒϥβରԠঢ়گ
$41ͷར༻ྫ ɾ DEOFYBNQMFDPNͱ͍͏$%/͔Β+BWB4DSJQUΛಡΈࠐΉ͕ɺ ͦΕҎ֎ڐՄ͠ͳ͍ ɾ ಉҰυϝΠϯͷը૾Ҏ֎ಡΈࠐ·ͳ͍ ɾ εΫϦϓτΛ࣮ߦͤͨ͘͞ͳ͍ͷͰ࣮ߦͦͷͷΛશ໘తʹڋ൱͢Δ FUDʜ
$41ಋೖͷσϝϦοτ w *&ରԠϒϥβʹؚΊͳ͍ͷͱ͢Δඞཁ͕͋Δ w ӡ༻͕ͦͦ͜͜໘͍͘͞ w ϗϫΠτϦετͷߋ৽Λ͠ଓ͚Δඞཁ͕ग़ͯ͘Δ w ։ൃνʔϜ$POUFOU4FDVSJUZ1PMJDZΛৗʹߟྀͯ͠։ൃ͢Δඞཁ͕ग़ͯ͘Δ w
దʹཧ͞Ε͍ͯͳ͚Εɺ944߈ܸͷରʹͳΔ w ϒϥβ࣮ʹ͓͍ͯࠩҟ͕͋Δ w ಋೖޙɺ+BWB4DSJQUͷϥΠϒϥϦͳͲ͕Ұ෦ಈ͔ͳ͘ͳΔՄೳੑʜ
ϙϦγʔͷछྨ σΟϨΫςΟϒ Өڹൣғ EFGBVMUTSD σϑΥϧτͰڐՄ͢Δઃఆ JNHTSD 'BWJDPOը૾ TDSJQUTSD +BWB4DSJQUͷίʔυ PCKFDUTSD
PCKFDUFNCFEBQQMFU NFEJBTSD WJEFPDBOWBT GPOUTSD !GPOUGBDF TUZMFTSD TUZMFDTT GSBNFTSD JGSBNF
$41ͷઃఆํ๏ add_header Content-Security-Policy default-src ‘self’; αʔόଆͰϨεϙϯεϔομʹʮ$POUFOU4FDVSJUZ1PMJDZʯΛग़ྗ͢ΔઃఆΛه͢Δ NFUBλάʹIUUQFRVJWଐੑΛ༻ͯ͠ઃఆ͢Δ͜ͱग़དྷ·͢ɻ
ɾ֎෦ͷ+BWB4DSJQUͷಡΈࠐΈ ɾ)5.-ʹهड़ͨ͠TDSJQUTDSJQUͷ+BWB4DSJQU ɾΠϕϯτଐੑ POMPBEYYYYͳͲ ͜ͷઃఆʹΑΓҎԼ͕ېࢭ͞ΕΔ
ݫ͗ͯ͑͢͠ͳ͍
)5.-ʹهड़ͨ͠TDSJQUϒϩοΫ࣮ߦ͞Εͳ͍ͷͰ֎෦ͷTDSJQUʹΓग़͢ $41ͷઃఆํ๏ʢ(PPHMF"OBMZUJDTΛڐՄ͢Δ߹ʣ
Γग़ͨ͠TDSJQUΛHBKTͳͲͰอଘ )5.-ͷιʔεʹ֎෦εΫϦϓτͱͯ͠ಡΈࠐΉ $41ͷઃఆํ๏ʢ(PPHMF"OBMZUJDTΛڐՄ͢Δ߹ʣ
add_header Content-Security-Policy default-src ‘none’; script-src ‘self’ www.google-analytics.com; img-src www.google-analytics.com; JavaScriptશͯ*.jsϑΝΠϧʹهड़ͯ͠֎෦ͷscriptͱͯ͠ಡΈࠐΈɺ
Մม͢ΔHTMLଆʹدͤΔͳͲίʔυͱσʔλΛ͢Δඞཁ͕͋Δ $41ͷઃఆํ๏ʢ(PPHMF"OBMZUJDTΛڐՄ͢Δ߹ʣ
ͦͷଞͷઃఆํ๏ OPODF OPODFͷͳ͍TDSJQUλά࣮ߦ͠ͳ͍Α͏ʹ͢Δ͜ͱ͕Ͱ͖Δ // nonce-base64ͷ add_header Content-Security-Policy script-src ‘nonce-2726c7f26c’;
ͦͷଞͷઃఆํ๏ IBTI 4)"ͰϋογϡԽͨ͠TDSJQUΛڐՄ͢Δ add_header Content-Security-Policy script-src ‘sha256-gPMJwWBMWDx0Cm7ZygJKZIU2vZpiYvzUQjl5Rh37hKs=';
ࠔͬͨ࣌ͷઃఆํ๏ FWBMΛΘͳ͍ͱ͍͚ͳ͍߹ɺVOTBGFFWBMΦϓγϣϯΛه͢Δ add_header Content-Security-Policy script-src ‘unsafe-eval’; ΠϯϥΠϯཁૉΛΘͳ͍ͱ͍͚ͳ͍߹ɺVOTBGFJOMJOFΦϓγϣϯΛه͢Δ add_header Content-Security-Policy script-src
‘unsafe-inline’;
Ϩϙʔτϩάͷૹ৴ SFQPSUVSJΦϓγϣϯΛه͢Δ͜ͱͰϨϙʔτΛҙͷ63-ʹKTPOͰ1045͢Δ͜ͱ͕Ͱ͖Δ add_header Content-Security-Policy default-src ‘self'; report-uri http://example.test/collector.js; +40/ܗࣜͰϨϙʔτ༰͕ҎԼͷΑ͏ͳ༰Ͱ1045͞ΕΔ
·ͱΊ w 8FCαΠτΛ҆શʹߏங͢Δͷ͍͠͠ɺ$41͕શͯΛղܾ͢ΔͷͰͳ͍ w $41Λ༻͍࣮ͯߦΛڐՄ͢ΔϦιʔεΛదʹઃఆ͢Δ͜ͱͰࠓΑΓηΩϡΞ ˠ$41ͷಋೖ࣌ɺ෭࣍తʹ)5.-ɺ+BWB4DSJQUɺ$44ͷʹͭͳ͕Δ w ֎෦ϦιʔεΛࢦఆ͢Δͱ͖VOTBGFJOMJOF VOTBGFFWBMΛ͏͖͔͖ͪΜͱߟ͑Δ ˠ944͕ޭ͢ΔڪΕ͕͋ΔͨΊIBTIOPODFͷ׆༻Λݕ౼͢Δ
w ϨϙʔτϩάͳͲΛऩूͯ͠߈ܸͷରࡦཱ͕ͯΒΕΔͱߋʹΑͦ͞͏
ࢀߟࢿྉ w$POUFOU4FDVSJUZ1PMJDZ $41 )551c.%/ IUUQTEFWFMPQFSNP[JMMBPSHKBEPDT8FC)551$41 w$POUFOU4FDVSJUZ1PMJDZ-FWFM IUUQTEFWFMPQFSNP[JMMBPSHKBEPDT8FC)551$41 wฐࣾͷϗʔϜϖʔδʹ$POUFOU4FDVSJUZ1PMJDZ $41 Λಋೖ͠·ͨ͠
IUUQCMPHFHTFDVSFDPKQ$POUFOU4FDVSJUZ1PMJDZ$41IUNM )"4)ίϯαϧςΟϯάΦϑΟγϟϧϒϩά