Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Rails meets Content Security Policy
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
Yuichi Takeuchi
April 25, 2018
Programming
720
1
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Rails meets Content Security Policy
Shinjuku.rb #60
Rails 5.2でサポートしたCSPってなんなん?Railsがサポートってどういうこと?という話
Yuichi Takeuchi
April 25, 2018
More Decks by Yuichi Takeuchi
See All by Yuichi Takeuchi
現実のRuby/Railsアップグレード外伝 ~そして僕はforkした~
takeyuweb
0
860
現実のRuby/Railsアップグレード
takeyuweb
4
14k
Shinjuku.rb #95 LT会!心の技術書を紹介しよう!
takeyuweb
0
110
リモートワークへの招待
takeyuweb
2
550
OSSにみるレールの外側
takeyuweb
0
240
Rails受託会社を作っている話
takeyuweb
0
150
社長が書いたクソコードたち
takeyuweb
0
2k
Rails 考古学:WebAPIを取り巻く環境の変化とRailsの対応について
takeyuweb
0
130
RubyでAmazon CloudWatch Events定期ジョブを書けるやつ作った話
takeyuweb
0
660
Other Decks in Programming
See All in Programming
TypeScript+Orvalで実現する型安全かつ堅牢でスケーラブルなマルチチャネル通知基盤 / TSKaigi Night talks ~after conference~
d0riven
0
360
Observability in Practice:Grafana 與 Edge Device SRE 的那些事
blueswen
0
170
気づいたらRubyで100作品 ー クリエイティブコーディングが生活の一部になるまで / 100 Ruby Sketches Later: How Creative Coding Became Part of My Life
chobishiba
3
610
Developing with AI Agents — Codex, Claude Code & Cowork Practical Guide
x5gtrn
PRO
0
1.3k
決定論的オーケストレーションの設計と実装 / Design and Implementation of Deterministic Orchestration
nrslib
4
1.5k
Javaの型とAI時代に型が大事な理由 / java types and type in AI era
kishida
2
150
Vue × Nuxt × Oxc どこまで使える?実運用の現在地
andpad
0
300
A2UI という光を覗いてみる
satohjohn
1
150
不変条件と整合性境界—ビジネスが決める設計判断と実現パターン / Invariants and Consistency Boundaries
nrslib
14
5.8k
ローカルLLMでどこまでコードが書けるか -拡張版 / How much code can be written on a local LLM Extended
kishida
12
4.4k
AIだと陥りがちなJakarta EE最新技術への移行時の落とし穴と解決策
tnagao7
0
120
エンジニアと一緒にテストコードの設計と実装を改善した話
mototakatsu
0
220
Featured
See All Featured
Chasing Engaging Ingredients in Design
codingconduct
0
220
Balancing Empowerment & Direction
lara
6
1.2k
New Earth Scene 8
popppiees
3
2.4k
How to Build an AI Search Optimization Roadmap - Criteria and Steps to Take #SEOIRL
aleyda
1
2.1k
Groundhog Day: Seeking Process in Gaming for Health
codingconduct
0
210
How to make the Groovebox
asonas
2
2.2k
The Limits of Empathy - UXLibs8
cassininazir
1
370
How to Ace a Technical Interview
jacobian
281
24k
What does AI have to do with Human Rights?
axbom
PRO
1
2.2k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
128
56k
Navigating the Design Leadership Dip - Product Design Week Design Leaders+ Conference 2024
apolaine
1
360
Keith and Marios Guide to Fast Websites
keithpitt
413
23k
Transcript
Rails meets Content Security Policy 竹内雄一 Takeyu Web Inc.
@takeyuweb 2008年〜フリーランス 2016年 法人成り Rails 1.1〜 Saitama.rb主宰
Takeyu Web Inc.
Rails 5.2 Content Security Policy config/initializers/ content_security_policy.rb Rails.application.config.content_security_policy do |policy|
policy.default_src :self, :https policy.font_src :self, :https, :data policy.img_src :self, :https, :data policy.object_src :none policy.script_src :self, :https policy.style_src :self, :https # Specify URI for violation reports policy.report_uri "/csp-violation-report-endpoint" end
Rails 5.2 Content Security Policy Override policy inline class PostsController
< ApplicationController content_security_policy do |p| p.upgrade_insecure_requests true end end
Rails 5.2 Content Security Policy https://speakerdeck.com/yyagi/ rails-5-dot-2-part1?slide=23 http://guides.rubyonrails.org/ security.html#content-security-policy
What’s CSP? IPA ISEC セキュア・プログラミング講 座より Content Security Policy は、スク リプトのロードと実行等に強い制
約を設ける機能 https://www.ipa.go.jp/security/ awareness/vendor/programmingv2/ contents/705.html
HTTP Header GET /index.html Host: test.host HTTP/1.1 200 OK Content-Security-Policy:
default-src 'self'
default-src ‘self’ <script>alert("実 行 さ れ な い ");</script> <script
src="実 行 さ れ る .js"></script> <script src="://test.host/scripts/実 行 さ れ る .js"></script> <script src="://blocked.host/scripts/実 行 さ れ な い .js"></script>
script-src ‘https:’ <script src="http://test.host/scripts/さ れ な い .js"></script> <script src="https://test.host/scripts/実
行 さ れ る .js"></script> <script src="https://xxx.host/scripts/実 行 さ れ る .js"></script>
script-src ‘self’ ‘unsafe- inline’ <script>alert("実行される");</script>
script-src ‘nonce- xxxxxxxxxxxxxx’ nonce: number used once <script>alert("実行されない");</script> <script nonce="xxxxxxxxxxxxxx">alert("実行される");</script>
report-uri /csp-report ブロックしたとき、CSPレポートを送信 する POST /csp-report { "csp-report": { "blocked-uri":
"self", "document-uri": "http://localhost:3000/", "original-policy": "script-src ...", "referrer": "", "script-sample": "onclick attribute on A element", "source-file": "http://localhost:3000/", "violated-directive": "script-src" } }
Directives base-uri child-src connect-src default-src font-src form- action frame-ancestors frame-
src img-src manifest-src media- src object-src script-src style- src worker-src
Content-Security-Policy- Report-Only Report Only Content-Security-Policy-Report-Only: default-src https: report-to https://test.host/csp-report
Supported browsers ブラウザー実装状況 Content Security Policy (CSP) - HTTP MDN
Rails integration config/initializers/ content_security_policy.rb Rails.application.config.content_security_policy do |policy| policy.default_src :self, :https
policy.font_src :self, :https, :data policy.img_src :self, :https, :data policy.object_src :none policy.script_src :self, :https policy.style_src :self, :https # Specify URI for violation reports policy.report_uri "/csp-violation-report-endpoint" end
Rails integration Override policy inline class PostsController < ApplicationController content_security_policy
do |p| p.upgrade_insecure_requests true end end
Rails integration <%= javascript_tag do %> alert('Without nonce'); <% end
%> <%= javascript_tag nonce: true do %> alert('With nonce'); <% end %>
Supported directives actionpack/lib/action_dispatch/http/ content_security_policy.rb
Enjoy Secure Programing!