Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Rails meets Content Security Policy
Search
Yuichi Takeuchi
April 25, 2018
Programming
1
650
Rails meets Content Security Policy
Shinjuku.rb #60
Rails 5.2でサポートしたCSPってなんなん?Railsがサポートってどういうこと?という話
Yuichi Takeuchi
April 25, 2018
Tweet
Share
More Decks by Yuichi Takeuchi
See All by Yuichi Takeuchi
現実のRuby/Railsアップグレード外伝 ~そして僕はforkした~
takeyuweb
0
610
現実のRuby/Railsアップグレード
takeyuweb
4
12k
Shinjuku.rb #95 LT会!心の技術書を紹介しよう!
takeyuweb
0
63
リモートワークへの招待
takeyuweb
2
530
OSSにみるレールの外側
takeyuweb
0
220
Rails受託会社を作っている話
takeyuweb
0
120
社長が書いたクソコードたち
takeyuweb
0
1.9k
Rails 考古学:WebAPIを取り巻く環境の変化とRailsの対応について
takeyuweb
0
98
RubyでAmazon CloudWatch Events定期ジョブを書けるやつ作った話
takeyuweb
0
600
Other Decks in Programming
See All in Programming
Namespace and Its Future
tagomoris
6
700
プロポーザル駆動学習 / Proposal-Driven Learning
mackey0225
2
1.2k
Oracle Database Technology Night 92 Database Connection control FAN-AC
oracle4engineer
PRO
1
440
モバイルアプリからWebへの横展開を加速した話_Claude_Code_実践術.pdf
kazuyasakamoto
0
320
AI Coding Agentのセキュリティリスク:PRの自己承認とメルカリの対策
s3h
0
200
Tool Catalog Agent for Bedrock AgentCore Gateway
licux
6
2.3k
パッケージ設計の黒魔術/Kyoto.go#63
lufia
3
430
Compose Multiplatform × AI で作る、次世代アプリ開発支援ツールの設計と実装
thagikura
0
130
意外と簡単!?フロントエンドでパスキー認証を実現する WebAuthn
teamlab
PRO
2
720
請來的 AI Agent 同事們在寫程式時,怎麼用 pytest 去除各種幻想與盲點
keitheis
0
110
Rancher と Terraform
fufuhu
2
240
CJK and Unicode From a PHP Committer
youkidearitai
PRO
0
110
Featured
See All Featured
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.9k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
333
22k
The Pragmatic Product Professional
lauravandoore
36
6.9k
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
4k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
18
1.1k
Producing Creativity
orderedlist
PRO
347
40k
Scaling GitHub
holman
463
140k
RailsConf 2023
tenderlove
30
1.2k
Documentation Writing (for coders)
carmenintech
74
5k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
126
53k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
194
16k
Transcript
Rails meets Content Security Policy 竹内雄一 Takeyu Web Inc.
@takeyuweb 2008年〜フリーランス 2016年 法人成り Rails 1.1〜 Saitama.rb主宰
Takeyu Web Inc.
Rails 5.2 Content Security Policy config/initializers/ content_security_policy.rb Rails.application.config.content_security_policy do |policy|
policy.default_src :self, :https policy.font_src :self, :https, :data policy.img_src :self, :https, :data policy.object_src :none policy.script_src :self, :https policy.style_src :self, :https # Specify URI for violation reports policy.report_uri "/csp-violation-report-endpoint" end
Rails 5.2 Content Security Policy Override policy inline class PostsController
< ApplicationController content_security_policy do |p| p.upgrade_insecure_requests true end end
Rails 5.2 Content Security Policy https://speakerdeck.com/yyagi/ rails-5-dot-2-part1?slide=23 http://guides.rubyonrails.org/ security.html#content-security-policy
What’s CSP? IPA ISEC セキュア・プログラミング講 座より Content Security Policy は、スク リプトのロードと実行等に強い制
約を設ける機能 https://www.ipa.go.jp/security/ awareness/vendor/programmingv2/ contents/705.html
HTTP Header GET /index.html Host: test.host HTTP/1.1 200 OK Content-Security-Policy:
default-src 'self'
default-src ‘self’ <script>alert("実 行 さ れ な い ");</script> <script
src="実 行 さ れ る .js"></script> <script src="://test.host/scripts/実 行 さ れ る .js"></script> <script src="://blocked.host/scripts/実 行 さ れ な い .js"></script>
script-src ‘https:’ <script src="http://test.host/scripts/さ れ な い .js"></script> <script src="https://test.host/scripts/実
行 さ れ る .js"></script> <script src="https://xxx.host/scripts/実 行 さ れ る .js"></script>
script-src ‘self’ ‘unsafe- inline’ <script>alert("実行される");</script>
script-src ‘nonce- xxxxxxxxxxxxxx’ nonce: number used once <script>alert("実行されない");</script> <script nonce="xxxxxxxxxxxxxx">alert("実行される");</script>
report-uri /csp-report ブロックしたとき、CSPレポートを送信 する POST /csp-report { "csp-report": { "blocked-uri":
"self", "document-uri": "http://localhost:3000/", "original-policy": "script-src ...", "referrer": "", "script-sample": "onclick attribute on A element", "source-file": "http://localhost:3000/", "violated-directive": "script-src" } }
Directives base-uri child-src connect-src default-src font-src form- action frame-ancestors frame-
src img-src manifest-src media- src object-src script-src style- src worker-src
Content-Security-Policy- Report-Only Report Only Content-Security-Policy-Report-Only: default-src https: report-to https://test.host/csp-report
Supported browsers ブラウザー実装状況 Content Security Policy (CSP) - HTTP MDN
Rails integration config/initializers/ content_security_policy.rb Rails.application.config.content_security_policy do |policy| policy.default_src :self, :https
policy.font_src :self, :https, :data policy.img_src :self, :https, :data policy.object_src :none policy.script_src :self, :https policy.style_src :self, :https # Specify URI for violation reports policy.report_uri "/csp-violation-report-endpoint" end
Rails integration Override policy inline class PostsController < ApplicationController content_security_policy
do |p| p.upgrade_insecure_requests true end end
Rails integration <%= javascript_tag do %> alert('Without nonce'); <% end
%> <%= javascript_tag nonce: true do %> alert('With nonce'); <% end %>
Supported directives actionpack/lib/action_dispatch/http/ content_security_policy.rb
Enjoy Secure Programing!