Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Rails meets Content Security Policy

Rails meets Content Security Policy

Shinjuku.rb #60

Rails 5.2でサポートしたCSPってなんなん?Railsがサポートってどういうこと?という話

35927f692190cfdd7b05df502bcdb311?s=128

Yuichi Takeuchi

April 25, 2018
Tweet

More Decks by Yuichi Takeuchi

Other Decks in Programming

Transcript

  1. Rails meets Content Security Policy 竹内雄一 Takeyu Web Inc.

  2. @takeyuweb 2008年〜フリーランス 2016年 法人成り Rails 1.1〜 Saitama.rb主宰

  3. Takeyu Web Inc.

  4. Rails 5.2 Content Security Policy config/initializers/ content_security_policy.rb Rails.application.config.content_security_policy do |policy|

    policy.default_src :self, :https policy.font_src :self, :https, :data policy.img_src :self, :https, :data policy.object_src :none policy.script_src :self, :https policy.style_src :self, :https # Specify URI for violation reports policy.report_uri "/csp-violation-report-endpoint" end
  5. Rails 5.2 Content Security Policy Override policy inline class PostsController

    < ApplicationController content_security_policy do |p| p.upgrade_insecure_requests true end end
  6. Rails 5.2 Content Security Policy https://speakerdeck.com/yyagi/ rails-5-dot-2-part1?slide=23 http://guides.rubyonrails.org/ security.html#content-security-policy

  7. What’s CSP? IPA ISEC セキュア・プログラミング講 座より Content Security Policy は、スク リプトのロードと実行等に強い制

    約を設ける機能 https://www.ipa.go.jp/security/ awareness/vendor/programmingv2/ contents/705.html
  8. HTTP Header GET /index.html Host: test.host HTTP/1.1 200 OK Content-Security-Policy:

    default-src 'self'
  9. default-src ‘self’ <script>alert("実 行 さ れ な い ");</script> <script

    src="実 行 さ れ る .js"></script> <script src="://test.host/scripts/実 行 さ れ る .js"></script> <script src="://blocked.host/scripts/実 行 さ れ な い .js"></script>
  10. script-src ‘https:’ <script src="http://test.host/scripts/さ れ な い .js"></script> <script src="https://test.host/scripts/実

    行 さ れ る .js"></script> <script src="https://xxx.host/scripts/実 行 さ れ る .js"></script>
  11. script-src ‘self’ ‘unsafe- inline’ <script>alert("実行される");</script>

  12. script-src ‘nonce- xxxxxxxxxxxxxx’ nonce: number used once <script>alert("実行されない");</script> <script nonce="xxxxxxxxxxxxxx">alert("実行される");</script>

  13. report-uri /csp-report ブロックしたとき、CSPレポートを送信 する POST /csp-report { "csp-report": { "blocked-uri":

    "self", "document-uri": "http://localhost:3000/", "original-policy": "script-src ...", "referrer": "", "script-sample": "onclick attribute on A element", "source-file": "http://localhost:3000/", "violated-directive": "script-src" } }
  14. Directives base-uri child-src connect-src default-src font-src form- action frame-ancestors frame-

    src img-src manifest-src media- src object-src script-src style- src worker-src
  15. Content-Security-Policy- Report-Only Report Only Content-Security-Policy-Report-Only: default-src https: report-to https://test.host/csp-report

  16. Supported browsers ブラウザー実装状況 Content Security Policy (CSP) - HTTP MDN

  17. Rails integration config/initializers/ content_security_policy.rb Rails.application.config.content_security_policy do |policy| policy.default_src :self, :https

    policy.font_src :self, :https, :data policy.img_src :self, :https, :data policy.object_src :none policy.script_src :self, :https policy.style_src :self, :https # Specify URI for violation reports policy.report_uri "/csp-violation-report-endpoint" end
  18. Rails integration Override policy inline class PostsController < ApplicationController content_security_policy

    do |p| p.upgrade_insecure_requests true end end
  19. Rails integration <%= javascript_tag do %> alert('Without nonce'); <% end

    %> <%= javascript_tag nonce: true do %> alert('With nonce'); <% end %>
  20. Supported directives actionpack/lib/action_dispatch/http/ content_security_policy.rb

  21. Enjoy Secure Programing!