Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Nuxt.js におけるCSPの連携について / content security polic...

Nuxt.js におけるCSPの連携について / content security policy for Nuxt.js

sunecosuri

July 12, 2018
Tweet

More Decks by sunecosuri

Other Decks in Technology

Transcript

  1. Content Security Policy σ ʔ λ ͷ ৵ ೖ Λ

    ๷ ͙ ػ ߏ ΢ΣϒαΠτͰѻ͏ϦιʔεͷಡΈࠐΈΛࡉ͔͘؅ཧ͢Δ͜ͱ͕Ͱ͖ΔHTTP headerɻ W3CʹΑͬͯ΋ఆٛ͞Ε͓ͯΓɺXSSͱ͍ͬͨѱҙͷ͋Δ injection ߈ܸͷϦεΫΛܰݮ͢Δ͜ͱ͕Ͱ͖Δɻ
 ࣮ߦΛڐՄ͢ΔϦιʔεΛϗϫΠτϦετํࣜͰઃఆ͠ɺؚ·Εͳ͍Ϧιʔε͸ϒϥ΢βͰ࣮ߦΛϒϩοΫ͢Δ͜ͱ ͕Ͱ͖Δɻ ͳ ʹ Λ ๷ ͙ ͷ ͔ ɾInline Scriptͷ࣮ߦ
 ɾҙਤ͠ͳ͍ϦιʔεͷಡΈࠐΈ
  2. Can I use ରԠϒϥ΢βঢ়گ W R I T E H

    E R E S O M E T H I N G A B O U T Entrepreneurial activities differ substantially depending on the type of organization and creativity. Entrepreneurial activities differ substantially depending on the type of organization and creativity. Entrepreneurial activities differ substantially depending on the type of organization and creativity. Entrepreneurial activities differ substantially.
  3. ࣮ߦͷछྨ W h i t e l i s t

    n o n c e ଐ ੑ H a s h ஋ script-src www.google-analytics.com script-src ‘nonce-t3cdm2’ script-src ‘sha256-3d8xj1psc/5kx92a…..’
  4. Whitelist Whitelist e x a m p l e .

    t e s t C o n t e n t S e c u r i t y P o l i c y default-src ‘self’; scripit-src ‘self’ cdn.example.com; report-uri /csp-log; <img src=“sample.png”> <script src=“// cdn.example.com/index.js”> ಉҰΦϦδϯͳͷͰOK srcipt-src σΟϨΫςΟϒʹ
 هࡌ͞ΕͯΔͷͰOK
  5. e x a m p l e . t e

    s t C o n t e n t S e c u r i t y P o l i c y default-src ‘self’; scripit-src ‘self’ cdn.example.com; report-uri /csp-log; <img src=“sample.png”> <script src=“// cdn.example.com/index.js”> ಉҰΦϦδϯͳͷͰOK srcipt-src σΟϨΫςΟϒʹ
 هࡌ͞ΕͯΔͷͰOK “>’><script src=“//evil.test”> “>’<script>alert(‘attack’)</ script> ϗϫΠτϦετʹͳ͍ͷͰNG Inline script ͸ڐՄ͍ͯ͠ͳ͍ͷͰNG Whitelist Whitelist
  6. e x a m p l e . t e

    s t C o n t e n t S e c u r i t y P o l i c y default-src ‘self’; scripit-src ‘self’ cdn.example.com; report-uri /csp-log; <img src=“sample.png”> <script src=“// cdn.example.com/index.js”> ಉҰΦϦδϯͳͷͰOK srcipt-src σΟϨΫςΟϒʹ
 هࡌ͞ΕͯΔͷͰOK “>’><script src=“//evil.test”> “>’<script>alert(‘attack’)</ script> P O S T h t t p : // e x a m p l e . t e s t / c s p - l o g json ͷܗࣜͰPOST͞ΕΔ Whitelist Whitelist
  7. <script nonce=“nonce-EDNnf03”>
 alert(‘execute’)
 </script> <script>
 alert(‘not execute’)
 </script> nonceͰڐՄ͢Δ C

    o n t e n t S e c u r i t y P o l i c y default-src ‘self’; scripit-src 'nonce-EDNnf03' report-uri /csp-log; srcipt-src σΟϨΫςΟϒͰࢦఆ͞Εͨ nonce-* ͷ஋͕Ұக͢Δ΋ͷͷΈ࣮ߦ͢Δ
  8. <script nonce=“sha256- qznLcsROx4GACP2dm0UCKCzCG- HiZ1guq6ZZDob_Tng= ”>
 alert(‘execute’)
 </script> <script>
 alert(‘not execute’)


    </script> C o n t e n t S e c u r i t y P o l i c y default-src ‘self’; scripit-src 'sha256- qznLcsROx4GACP2dm0UCKCzCG- HiZ1guq6ZZDob_Tng=' report-uri /csp-log; Hash஋ͰڐՄ͢Δ ࣮ߦ͢ΔscriptϒϩοΫΛ೚ҙͷΞϧΰϦζϜͰΤϯίʔυͯ͠Ұக͍ͯ͠Δ΋ͷͷΈΛ࣮ߦ͢Δ