Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Rails meets Content Security Policy
Search
Yuichi Takeuchi
April 25, 2018
Programming
1
650
Rails meets Content Security Policy
Shinjuku.rb #60
Rails 5.2でサポートしたCSPってなんなん?Railsがサポートってどういうこと?という話
Yuichi Takeuchi
April 25, 2018
Tweet
Share
More Decks by Yuichi Takeuchi
See All by Yuichi Takeuchi
現実のRuby/Railsアップグレード外伝 ~そして僕はforkした~
takeyuweb
0
640
現実のRuby/Railsアップグレード
takeyuweb
4
12k
Shinjuku.rb #95 LT会!心の技術書を紹介しよう!
takeyuweb
0
64
リモートワークへの招待
takeyuweb
2
530
OSSにみるレールの外側
takeyuweb
0
220
Rails受託会社を作っている話
takeyuweb
0
120
社長が書いたクソコードたち
takeyuweb
0
1.9k
Rails 考古学:WebAPIを取り巻く環境の変化とRailsの対応について
takeyuweb
0
98
RubyでAmazon CloudWatch Events定期ジョブを書けるやつ作った話
takeyuweb
0
600
Other Decks in Programming
See All in Programming
overlayPreferenceValue で実現する ピュア SwiftUI な AdMob ネイティブ広告
uhucream
0
170
XP, Testing and ninja testing ZOZ5
m_seki
3
360
WebエンジニアがSwiftをブラウザで動かすプレイグラウンドを作ってみた
ohmori_yusuke
0
170
After go func(): Goroutines Through a Beginner’s Eye
97vaibhav
0
240
Pull-Requestの内容を1クリックで動作確認可能にするワークフロー
natmark
2
480
タスクの特性や不確実性に応じた最適な作業スタイルの選択(ペアプロ・モブプロ・ソロプロ)と実践 / Optimal Work Style Selection: Pair, Mob, or Solo Programming.
honyanya
3
140
AI Coding Meetup #3 - 導入セッション / ai-coding-meetup-3
izumin5210
0
630
Back to the Future: Let me tell you about the ACP protocol
terhechte
0
130
止められない医療アプリ、そっと Swift 6 へ
medley
1
130
The Flutter Journey of Building a Live Streaming App — With a Side of Performance Tuning
u503
1
100
チームの境界をブチ抜いていけ
tokai235
0
100
CSC305 Lecture 02
javiergs
PRO
1
260
Featured
See All Featured
Raft: Consensus for Rubyists
vanstee
139
7.1k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
26
3.1k
A Modern Web Designer's Workflow
chriscoyier
697
190k
Build The Right Thing And Hit Your Dates
maggiecrowley
37
2.9k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
114
20k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
12
1.2k
Faster Mobile Websites
deanohume
310
31k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
657
61k
Thoughts on Productivity
jonyablonski
70
4.9k
Fireside Chat
paigeccino
40
3.7k
The World Runs on Bad Software
bkeepers
PRO
71
11k
Transcript
Rails meets Content Security Policy 竹内雄一 Takeyu Web Inc.
@takeyuweb 2008年〜フリーランス 2016年 法人成り Rails 1.1〜 Saitama.rb主宰
Takeyu Web Inc.
Rails 5.2 Content Security Policy config/initializers/ content_security_policy.rb Rails.application.config.content_security_policy do |policy|
policy.default_src :self, :https policy.font_src :self, :https, :data policy.img_src :self, :https, :data policy.object_src :none policy.script_src :self, :https policy.style_src :self, :https # Specify URI for violation reports policy.report_uri "/csp-violation-report-endpoint" end
Rails 5.2 Content Security Policy Override policy inline class PostsController
< ApplicationController content_security_policy do |p| p.upgrade_insecure_requests true end end
Rails 5.2 Content Security Policy https://speakerdeck.com/yyagi/ rails-5-dot-2-part1?slide=23 http://guides.rubyonrails.org/ security.html#content-security-policy
What’s CSP? IPA ISEC セキュア・プログラミング講 座より Content Security Policy は、スク リプトのロードと実行等に強い制
約を設ける機能 https://www.ipa.go.jp/security/ awareness/vendor/programmingv2/ contents/705.html
HTTP Header GET /index.html Host: test.host HTTP/1.1 200 OK Content-Security-Policy:
default-src 'self'
default-src ‘self’ <script>alert("実 行 さ れ な い ");</script> <script
src="実 行 さ れ る .js"></script> <script src="://test.host/scripts/実 行 さ れ る .js"></script> <script src="://blocked.host/scripts/実 行 さ れ な い .js"></script>
script-src ‘https:’ <script src="http://test.host/scripts/さ れ な い .js"></script> <script src="https://test.host/scripts/実
行 さ れ る .js"></script> <script src="https://xxx.host/scripts/実 行 さ れ る .js"></script>
script-src ‘self’ ‘unsafe- inline’ <script>alert("実行される");</script>
script-src ‘nonce- xxxxxxxxxxxxxx’ nonce: number used once <script>alert("実行されない");</script> <script nonce="xxxxxxxxxxxxxx">alert("実行される");</script>
report-uri /csp-report ブロックしたとき、CSPレポートを送信 する POST /csp-report { "csp-report": { "blocked-uri":
"self", "document-uri": "http://localhost:3000/", "original-policy": "script-src ...", "referrer": "", "script-sample": "onclick attribute on A element", "source-file": "http://localhost:3000/", "violated-directive": "script-src" } }
Directives base-uri child-src connect-src default-src font-src form- action frame-ancestors frame-
src img-src manifest-src media- src object-src script-src style- src worker-src
Content-Security-Policy- Report-Only Report Only Content-Security-Policy-Report-Only: default-src https: report-to https://test.host/csp-report
Supported browsers ブラウザー実装状況 Content Security Policy (CSP) - HTTP MDN
Rails integration config/initializers/ content_security_policy.rb Rails.application.config.content_security_policy do |policy| policy.default_src :self, :https
policy.font_src :self, :https, :data policy.img_src :self, :https, :data policy.object_src :none policy.script_src :self, :https policy.style_src :self, :https # Specify URI for violation reports policy.report_uri "/csp-violation-report-endpoint" end
Rails integration Override policy inline class PostsController < ApplicationController content_security_policy
do |p| p.upgrade_insecure_requests true end end
Rails integration <%= javascript_tag do %> alert('Without nonce'); <% end
%> <%= javascript_tag nonce: true do %> alert('With nonce'); <% end %>
Supported directives actionpack/lib/action_dispatch/http/ content_security_policy.rb
Enjoy Secure Programing!