Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Rails meets Content Security Policy
Search
Yuichi Takeuchi
April 25, 2018
Programming
1
650
Rails meets Content Security Policy
Shinjuku.rb #60
Rails 5.2でサポートしたCSPってなんなん?Railsがサポートってどういうこと?という話
Yuichi Takeuchi
April 25, 2018
Tweet
Share
More Decks by Yuichi Takeuchi
See All by Yuichi Takeuchi
現実のRuby/Railsアップグレード外伝 ~そして僕はforkした~
takeyuweb
0
640
現実のRuby/Railsアップグレード
takeyuweb
4
12k
Shinjuku.rb #95 LT会!心の技術書を紹介しよう!
takeyuweb
0
64
リモートワークへの招待
takeyuweb
2
530
OSSにみるレールの外側
takeyuweb
0
220
Rails受託会社を作っている話
takeyuweb
0
120
社長が書いたクソコードたち
takeyuweb
0
1.9k
Rails 考古学:WebAPIを取り巻く環境の変化とRailsの対応について
takeyuweb
0
98
RubyでAmazon CloudWatch Events定期ジョブを書けるやつ作った話
takeyuweb
0
600
Other Decks in Programming
See All in Programming
Conquering Massive Traffic Spikes in Ruby Applications with Pitchfork
riseshia
0
160
Building, Deploying, and Monitoring Ruby Web Applications with Falcon (Kaigi on Rails 2025)
ioquatix
4
1.8k
2分台で1500examples完走!爆速CIを支える環境構築術 - Kaigi on Rails 2025
falcon8823
3
3.5k
どの様にAIエージェントと 協業すべきだったのか?
takefumiyoshii
2
630
10年もののAPIサーバーにおけるCI/CDの改善の奮闘
mbook
0
800
After go func(): Goroutines Through a Beginner’s Eye
97vaibhav
0
330
Go Conference 2025: Goで体感するMultipath TCP ― Go 1.24 時代の MPTCP Listener を理解する
takehaya
8
1.6k
Domain-centric? Why Hexagonal, Onion, and Clean Architecture Are Answers to the Wrong Question
olivergierke
2
790
明日から始めるリファクタリング
ryounasso
0
130
Serena MCPのすすめ
wadakatu
4
950
なぜGoのジェネリクスはこの形なのか? Featherweight Goが明かす設計の核心
ryotaros
7
1.1k
The Past, Present, and Future of Enterprise Java
ivargrimstad
0
200
Featured
See All Featured
Git: the NoSQL Database
bkeepers
PRO
431
66k
Site-Speed That Sticks
csswizardry
11
890
Six Lessons from altMBA
skipperchong
28
4k
It's Worth the Effort
3n
187
28k
The Straight Up "How To Draw Better" Workshop
denniskardys
237
140k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
667
120k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
30
2.9k
Statistics for Hackers
jakevdp
799
220k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
15
1.7k
Large-scale JavaScript Application Architecture
addyosmani
514
110k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
162
15k
Bash Introduction
62gerente
615
210k
Transcript
Rails meets Content Security Policy 竹内雄一 Takeyu Web Inc.
@takeyuweb 2008年〜フリーランス 2016年 法人成り Rails 1.1〜 Saitama.rb主宰
Takeyu Web Inc.
Rails 5.2 Content Security Policy config/initializers/ content_security_policy.rb Rails.application.config.content_security_policy do |policy|
policy.default_src :self, :https policy.font_src :self, :https, :data policy.img_src :self, :https, :data policy.object_src :none policy.script_src :self, :https policy.style_src :self, :https # Specify URI for violation reports policy.report_uri "/csp-violation-report-endpoint" end
Rails 5.2 Content Security Policy Override policy inline class PostsController
< ApplicationController content_security_policy do |p| p.upgrade_insecure_requests true end end
Rails 5.2 Content Security Policy https://speakerdeck.com/yyagi/ rails-5-dot-2-part1?slide=23 http://guides.rubyonrails.org/ security.html#content-security-policy
What’s CSP? IPA ISEC セキュア・プログラミング講 座より Content Security Policy は、スク リプトのロードと実行等に強い制
約を設ける機能 https://www.ipa.go.jp/security/ awareness/vendor/programmingv2/ contents/705.html
HTTP Header GET /index.html Host: test.host HTTP/1.1 200 OK Content-Security-Policy:
default-src 'self'
default-src ‘self’ <script>alert("実 行 さ れ な い ");</script> <script
src="実 行 さ れ る .js"></script> <script src="://test.host/scripts/実 行 さ れ る .js"></script> <script src="://blocked.host/scripts/実 行 さ れ な い .js"></script>
script-src ‘https:’ <script src="http://test.host/scripts/さ れ な い .js"></script> <script src="https://test.host/scripts/実
行 さ れ る .js"></script> <script src="https://xxx.host/scripts/実 行 さ れ る .js"></script>
script-src ‘self’ ‘unsafe- inline’ <script>alert("実行される");</script>
script-src ‘nonce- xxxxxxxxxxxxxx’ nonce: number used once <script>alert("実行されない");</script> <script nonce="xxxxxxxxxxxxxx">alert("実行される");</script>
report-uri /csp-report ブロックしたとき、CSPレポートを送信 する POST /csp-report { "csp-report": { "blocked-uri":
"self", "document-uri": "http://localhost:3000/", "original-policy": "script-src ...", "referrer": "", "script-sample": "onclick attribute on A element", "source-file": "http://localhost:3000/", "violated-directive": "script-src" } }
Directives base-uri child-src connect-src default-src font-src form- action frame-ancestors frame-
src img-src manifest-src media- src object-src script-src style- src worker-src
Content-Security-Policy- Report-Only Report Only Content-Security-Policy-Report-Only: default-src https: report-to https://test.host/csp-report
Supported browsers ブラウザー実装状況 Content Security Policy (CSP) - HTTP MDN
Rails integration config/initializers/ content_security_policy.rb Rails.application.config.content_security_policy do |policy| policy.default_src :self, :https
policy.font_src :self, :https, :data policy.img_src :self, :https, :data policy.object_src :none policy.script_src :self, :https policy.style_src :self, :https # Specify URI for violation reports policy.report_uri "/csp-violation-report-endpoint" end
Rails integration Override policy inline class PostsController < ApplicationController content_security_policy
do |p| p.upgrade_insecure_requests true end end
Rails integration <%= javascript_tag do %> alert('Without nonce'); <% end
%> <%= javascript_tag nonce: true do %> alert('With nonce'); <% end %>
Supported directives actionpack/lib/action_dispatch/http/ content_security_policy.rb
Enjoy Secure Programing!