Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
'Securing Web Apps with Modern Platform Feature...
Search
sunecosuri
June 19, 2019
Programming
2
360
'Securing Web Apps with Modern Platform Features' を意訳してみる / Translate Securing Web Apps with Modern Platform Features
https://mentaico-js.connpass.com/event/132416/
sunecosuri
June 19, 2019
Tweet
Share
More Decks by sunecosuri
See All by sunecosuri
Vue.js × TypeScript でclass style componentを廃止した話 / migrated-class-style-component -for-vuejs-and-typescrpit
sunecosuri
2
4.4k
Nuxt.js のbuid速度が早くなるオプションのいくつかについて / Increase-build-speed-for-Nuxt.js
sunecosuri
1
1.4k
about-vue-hooks.pdf
sunecosuri
1
730
Nuxt.js におけるCSPの連携について / content security policy for Nuxt.js
sunecosuri
0
2.5k
ロリポップマネージドクラウドでAlexaスキルを開発しよう / let's development alexa skill by lolipop managed cloud
sunecosuri
1
220
マネージドクラウドのリリース速度を上げるお話 / Increase release speed for managed cloud
sunecosuri
2
340
Reconsider Content Security Policy for WEB Application
sunecosuri
0
100
Other Decks in Programming
See All in Programming
CSC305 Lecture 08
javiergs
PRO
0
270
AI駆動で0→1をやって見えた光と伸びしろ
passion0102
1
780
モテるデスク環境
mozumasu
3
1.1k
AkarengaLT vol.38
hashimoto_kei
1
110
The Past, Present, and Future of Enterprise Java
ivargrimstad
0
160
コード生成なしでモック処理を実現!ovechkin-dm/mockioで学ぶメタプログラミング
qualiarts
0
250
EMこそClaude Codeでコード調査しよう
shibayu36
0
340
なぜGoのジェネリクスはこの形なのか? - Featherweight Goが明かす設計の核心
qualiarts
0
240
AIと人間の共創開発!OSSで試行錯誤した開発スタイル
mae616
2
780
コードとあなたと私の距離 / The Distance Between Code, You, and I
hiro_y
0
190
ソフトウェア設計の実践的な考え方
masuda220
PRO
4
630
実践Claude Code:20の失敗から学ぶAIペアプログラミング
takedatakashi
17
7.3k
Featured
See All Featured
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
359
30k
Fantastic passwords and where to find them - at NoRuKo
philnash
52
3.5k
It's Worth the Effort
3n
187
28k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
36
6.1k
Facilitating Awesome Meetings
lara
57
6.6k
Rebuilding a faster, lazier Slack
samanthasiow
84
9.2k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
333
22k
Optimizing for Happiness
mojombo
379
70k
Fireside Chat
paigeccino
40
3.7k
Navigating Team Friction
lara
190
15k
Why Our Code Smells
bkeepers
PRO
340
57k
Being A Developer After 40
akosma
91
590k
Transcript
Securing Web Apps with Modern Platform Features Securing Web Apps
with Modern Platform Features @sunecosuri Date: 2019-06-19 Google I/O’19 ͷWebΛ·ͱΊΔձ Λ·ͱΊͯΈΔ
Securing Web Apps with Modern Platform Features ҙ ·ͱΊͯΈΔɺͱॻ͍ͨͷͷ Ұ෦Λં͍ͬͯΔՕॴ͕͋ΔͨΊશͯ·ͱΊΒΕ͍ͯ·ͤΜ
ৄࡉݩͷಈըʹͳΔηογϣϯΛ͝ཡ͍ͩ͘͞ https://www.youtube.com/watch?v=DDtM9caQ97I
GMOϖύϘ ΤϯδχΞ ϗεςΟϯάࣄۀ෦ϗεςΟϯάάϧʔϓ ໐ւ ߂ً / @sunecosuri ϚωʔδυΫϥυνʔϜ
Overview Overview XSSCSRFͳͲͷ͋Γ͕ͪͳ੬ऑੑ͖ʹͬͯWebΛ·ͤɺ·ͨGoogleͷ Vulnerability Reward ProgramͰසൟʹใࠂ͞Ε͍ͯ·͢ɻ࠷৽ͷWebϓϥοτϑΥʔϜʹ ͓͚ΔηΩϡϦςΟͷΈΛֶΜͰɺ͋ͳͨͷαʔϏεΛΠϯδΣΫγϣϯ͔Β͍Ͱةݥͳ αΠτ͔Βִ͠·͠ΐ͏ɻ ·ͨɺWebͰͬͱηϯγςΟϒͳΞϓϦΛक͍ͬͯΔGoogleͷηΩϡϦςΟνʔϜͷܦݧ ʹΑͬͯಘΒΕͨϒϥβͷ৽ػೳʹΑͬͯɺ͋ͳͨͷΞϓϦέʔγϣϯΛकΔͨΊͷνΣοΫ
ϦετΛΓ·͠ΐ͏ɻ ͜ ͷ η ο γ ϣ ϯ ʹ ͭ ͍ ͯ
όάใࠂใ੍ۚͷڈͷׂ߹
Cross-site scripting Cross-site scripting (XSS) I n j e c
t i o n s 1. ϩάΠϯϢʔβʔ͕߈ܸऀͷϖʔδΛ๚ 2. ߈ܸऀ͕ϢʔβʔΛ੬ऑͳURLʹ༠ಋ͢Δ https://test.example/?query=<script src=“//evil/” > 3. εΫϦϓτ͕࣮ߦ͞Εɺ߈ܸऀ͕ϢʔβʔͷઃఆʹΞΫηε͢Δ
XSS is turai ͜ΕΒͷΠϯδΣΫγϣϯ߈ܸ ʹରͯ͠XSSۀքશମͰେ͖ ͳͱͳ͍ͬͯΔ
Let’s start CSP ·ͣɺίϯςϯπηΩϡϦςΟ ϙϦγʔ͔Β࢝Ί·͠ΐ͏
Content Security Policy Content Security Policy Level3 Ϧ ι ʔε
୯ Ґ Ͱ s c r i p t ͷ ࣮ ߦ Λ ੍ ޚ Ͱ ͖ Δ ػ ߏ ΞϓϦέʔγϣϯͷεΫϦϓτ࣮ߦʹؔ͢Δ͖Ίࡉ͔͘ ੍ޚ͢ΔΈΛಋೖͯ͠XSS͔Βޚ͢Δ scriptͷ࣮ߦϓϥάΠϯͷಡΈࠐΈΛίϯτϩʔϧ͢Δ ͜ͱ͕Ͱ͖Δ CSPɺదͳΤεέʔϓ·ͨXSSΛڐ༰͢ΔόάΛमਖ਼͢ΔͷͰ͋Γ·ͤΜ
How to implement Ͳ͏࣮ͬͯ͢Δͷ͔
Content Security Policy CSPHTTP Response Header Chrome dev tools ͷNetworkλϒ͔ΒͷΩϟϓνϟ
ࢦఆͨ͠Ϩεϙϯεʹؔ͢ΔϙϦγʔΛɺϒϥβଆͰ औಘ͠ɺࢦఆͨ͠ϙϦγʔΛಡΜͰ࣮ߦՄ൱Λ੍ޚ͢Δ
support for reports CSPϨϙʔτઐ༻Ϟʔυα ϙʔτ͍ͯ͠·͢
support for reports
Content Security Policy Nonce-Based CSP ͷߟ͑ํ ͜ͷΑ͏ʹCSPΛઃఆ͢Δͱ nonce ͳ͠ͷscriptϒϥβʹΑͬͯϒϩοΫ ༗ޮͳnonceΛ࣋ͭεΫϦϓτλάͰ͋Ε࣮ߦ
্هͷΑ͏ͳnonceΛϦΫΤετ͝ͱʹมߋ͢Ε߈ܸऀ༧ଌͰ͖ͳ͍
CDNͱ͔ͷଞͷॴͰ ϗετ͞Ε͍ͯΔJavaScript࣮ߦ ͞Εͳ͘ͳͬͯ͠·͏ͷͰ…ʁ
Content Security Policy ͦͷͨΊͷ ‘strict-dynamic’ strict-dynamic Λ༻͢Δͱɺ͢Ͱʹ৴པ͞Ε͍ͯΔεΫϦϓτΛڐՄ͢Δ͜ͱͰɺ nonceͷ͍ͭͨεΫϦϓτ͔Βੜ͞ΕͨεΫϦϓτ࣮ߦՄೳʹͳΔ ࣮ߦ͞ΕΔ
Content Security Policy ͲͷΑ͏ʹಋೖ͢Δ͔ 1. onclickhrefͰࢦఆ͞ΕΔΠϯϥΠϯΠϕϯτϋϯυϥʔΛͳ͘͢ 2.αʔόʔαΠυςϯϓϨʔτʹͯnonceΛࢦఆ͢Δ 3.ϨεϙϯεϔομʔͰCSPΛࢦఆ͢Δ
Trusted Types Trusted-types D o m ͷ ߋ ৽ ʹ
੍ Λ ઃ ͚ Δ ͜ ͱ ͕ Ͱ ͖ Δ ػ ߏ 1. ݸผʹఆٛͨ͠Trusted Type Policies͔Βੜ͞ΕΔ Trusted TypesΦϒδΣΫτͰͷΈɺDOMΛߋ৽Ͱ͖Δ 2.αχλΠζͷॲཧΛϙϦγʔΦϒδΣΫτʹूͰ͖Δ https://github.com/WICG/trusted-types ʹͯɺ શͯͷϒϥβͰػೳ͢Δ Polyfill ༻ҙ͞Ε͓ͯΓࢼͤΔΑ͏ʹͳ͍ͬͯΔ
1. validation ruleΛఆٛͨ͠ϙϦγʔΛ࡞͢Δ 2. ϙϦγʔΛ༻ͯ͠৴པͰ͖ΔܕͷΦϒδΣΫτΛ࡞͢Δ ͋
3. ࡞ͨ͠ ”samplePolicy” Λ CSPheader ʹՃ͢Δ͜ͱͰར༻Ͱ͖Δ Trusted Types Trusted-types D o m ͷ ߋ ৽ ʹ ੍ Λ ઃ ͚ Δ ͜ ͱ ͕ Ͱ ͖ Δ ػ ߏ
Trusted Types Default Policy String ͕ೖͬͨ࣌ͷ fallbackͱͯ͠ػೳ͢Δ 1. validation ruleΛఆٛͨ͠ϙϦγʔΛ࡞͢Δ
2. CSP headerʹՃ͢Δ
Trusted Types 1. ݸผʹఆٛͨ͠Trusted Type Policies͔Βੜ͞ΕΔTrusted TypesΦϒδΣΫτͰͷΈɺ DOMΛߋ৽Ͱ͖Δ 2. αχλΠζͷॲཧΛϙϦγʔΦϒδΣΫτʹूͰ͖Δ
ৄ͘͠ https://github.com/WICG/trusted-types ͳʹ͕خ͍͠ͷ͔ T r u s t e d T y p e s ͷ
cross-site request forgeries CSRFରࡦͷ
cross-site request forgeries • same-origin: ಉ͡εΩʔϚɺϗετɺϙʔτΛ࣋ͬͨαΠτಉ࢜ͷ͜ͱ - https://www.google.com/foo -
https://www.google.com/bar • same-site: ಉ͡εΩʔϚͱυϝΠϯΛ࣋ͬͨαΠτಉ࢜ͷ͜ͱ - https://mail.google.com - https://photos.google.com • cross-site: ͦͷଞ (https://www.youtube.com/, https://www.google.com/) Origin ͱ Site ͷҧ͍ʹ͍ͭͯ
Sec-Fetch-Site Sec-Fetch-Modeʹ͍ͭͯ কདྷతʹheaderͰಉҰorigin͔corsͳͲผͰ͖Δ
͓͠·͍