Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Reconsider Content Security Policy for WEB Appl...
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
sunecosuri
April 26, 2018
120
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Reconsider Content Security Policy for WEB Application
ContentSecurityPolicyの導入に際してまとめたものです
sunecosuri
April 26, 2018
More Decks by sunecosuri
See All by sunecosuri
New in Go 1.26 Implementing go fix in product development
sunecosuri
0
690
'Securing Web Apps with Modern Platform Features' を意訳してみる / Translate Securing Web Apps with Modern Platform Features
sunecosuri
2
390
Vue.js × TypeScript でclass style componentを廃止した話 / migrated-class-style-component -for-vuejs-and-typescrpit
sunecosuri
2
4.4k
Nuxt.js のbuid速度が早くなるオプションのいくつかについて / Increase-build-speed-for-Nuxt.js
sunecosuri
1
1.4k
about-vue-hooks.pdf
sunecosuri
1
770
Nuxt.js におけるCSPの連携について / content security policy for Nuxt.js
sunecosuri
0
2.6k
ロリポップマネージドクラウドでAlexaスキルを開発しよう / let's development alexa skill by lolipop managed cloud
sunecosuri
1
240
マネージドクラウドのリリース速度を上げるお話 / Increase release speed for managed cloud
sunecosuri
2
370
Featured
See All Featured
Game over? The fight for quality and originality in the time of robots
wayneb77
1
200
Writing Fast Ruby
sferik
630
63k
<Decoding/> the Language of Devs - We Love SEO 2024
nikkihalliwell
1
250
The AI Revolution Will Not Be Monopolized: How open-source beats economies of scale, even for LLMs
inesmontani
PRO
3
3.5k
Winning Ecommerce Organic Search in an AI Era - #searchnstuff2025
aleyda
1
2.1k
New Earth Scene 8
popppiees
3
2.4k
Rails Girls Zürich Keynote
gr2m
96
14k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
231
55k
Sam Torres - BigQuery for SEOs
techseoconnect
PRO
0
290
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
Automating Front-end Workflow
addyosmani
1370
210k
How GitHub (no longer) Works
holman
316
150k
Transcript
໐ւ߂ً(.01FQBCP *OD ϗε5FDI.5( 8&#ΞϓϦέʔγϣϯͷ ϦιʔεཧͪΌΜͱΖ͏
ΤϯδχΞ ໐ւ߂ً!TVOFDPTVSJ ϗεςΟϯάࣄۀ෦ϗεςΟϯάάϧʔϓ ϚωʔδυΫϥυνʔϜ
ɾΫϩεαΠτϦΫΤετϑΥʔδΣϦʢ$43'ʣ ɾΠϯδΣΫγϣϯ߈ܸ ɾσΟϨΫτϦτϥόʔαϧ ɾΫϩεαΠτεΫϦϓςΟϯάʢ944ʣ ɾΫϦοΫδϟοΩϯά ɾϝʔϧϔομʔΠϯδΣΫγϣϯ ߈ܸख๏ FUD
ɾ8FC"QQMJDBUJPO'JSFXBMM 8"' ɾ4UBUJDDPEFBOBMZTJT ɾ$POUFOU4FDVSJUZ1PMJDZ $41 ɾใۚ ɾηΩϡϦςΟࠪ ߈ܸख๏ʹର͢ΔΞϓϩʔν
ηΩϡϦςΟͱ͍ͬͯҰഋ͋ΔͷͰɺ
ϚωʔδυΫϥυͰ࣮ͨ͠ ҎԼͷରࡦʹͭͳ͕ΔΞϓϩʔνͷҰͭΛ͓͠͠·͢ w944 8FCαΠτɺѱҙͷ͋ΔεΫϦϓτΛຒΊࠐΉ߈ܸख๏ wΠϯδΣΫγϣϯ߈ܸ ϓϩάϥϜ͕ແޮͳσʔλΛॲཧͨ͠߹ʹग़ݱ͢ΔόάΛɺ߈ܸऀ͕ѱ༻͠ෆਖ਼ͳ໋ྩΛ࣮ߦ͢Δ߈ܸख๏ wΫϦοΫδϟοΩϯά 8FCϖʔδͷར༻ऀʹର͠ѱҙΛͬͯ༻͞ΕΔٕज़ͷҰछͰɺϦϯΫϘλϯͳͲͷཁૉΛӅṭɾِ͠ ͯΫϦοΫΛ༠͍ɺར༻ऀͷҙਤ͠ͳ͍ಈ࡞Λͤ͞Α͏ͱ͢Δ߈ܸख๏
$POUFOU4FDVSJUZ1PMJDZ
$POUFOU4FDVSJUZ1PMJDZ $41 ͱɺΫϩ εαΠτεΫϦϓςΟϯά 944 σʔλ Λࠩ͠ࠐΉ߈ܸͳͲͱ͍ͬͨɺಛఆͷछྨͷ ߈ܸΛݕ͠ɺӨڹΛܰݮ͢ΔͨΊʹՃͰ ͖ΔηΩϡϦςΟϨΠϠʔͰ͢ɻ .%/XFC%PDT
IUUQTEFWFMPQFSNP[JMMBPSHKBEPDT8FC)551$41ɹɹ
$41ͱ ࣮ߦΛڐՄ͢ΔϦιʔεͷϦετΛઃఆ͠ɺ Ϧετʹؚ·Εͳ͍ϦιʔεϒϥβଆͰ ϒϩοΫ͢Δͷ
w*OMJOF4DSJQUͷ࣮ߦ wཧऀͷҙਤ͠ͳ͍ϦιʔεͷಡΈࠐΈ ͳʹΛ͙͜ͱ͕Ͱ͖Δͷ͔ FWJMFYBNQMFDPNFWJM KT DEOFYBNQMFUFTUTBNQMFKT0, DEOFYBNQMFUFTUIPHFKQH0, FYBNQMFUFTUGVHBKT0, $41XIJUFMJTU ❌
8FCαʔόʔ ѱҙͷ͋Δਓ
None
ϒϥβରԠঢ়گ
$41ͷར༻ྫ ɾ DEOFYBNQMFDPNͱ͍͏$%/͔Β+BWB4DSJQUΛಡΈࠐΉ͕ɺ ͦΕҎ֎ڐՄ͠ͳ͍ ɾ ಉҰυϝΠϯͷը૾Ҏ֎ಡΈࠐ·ͳ͍ ɾ εΫϦϓτΛ࣮ߦͤͨ͘͞ͳ͍ͷͰ࣮ߦͦͷͷΛશ໘తʹڋ൱͢Δ FUDʜ
$41ಋೖͷσϝϦοτ w *&ରԠϒϥβʹؚΊͳ͍ͷͱ͢Δඞཁ͕͋Δ w ӡ༻͕ͦͦ͜͜໘͍͘͞ w ϗϫΠτϦετͷߋ৽Λ͠ଓ͚Δඞཁ͕ग़ͯ͘Δ w ։ൃνʔϜ$POUFOU4FDVSJUZ1PMJDZΛৗʹߟྀͯ͠։ൃ͢Δඞཁ͕ग़ͯ͘Δ w
దʹཧ͞Ε͍ͯͳ͚Εɺ944߈ܸͷରʹͳΔ w ϒϥβ࣮ʹ͓͍ͯࠩҟ͕͋Δ w ಋೖޙɺ+BWB4DSJQUͷϥΠϒϥϦͳͲ͕Ұ෦ಈ͔ͳ͘ͳΔՄೳੑʜ
ϙϦγʔͷछྨ σΟϨΫςΟϒ Өڹൣғ EFGBVMUTSD σϑΥϧτͰڐՄ͢Δઃఆ JNHTSD 'BWJDPOը૾ TDSJQUTSD +BWB4DSJQUͷίʔυ PCKFDUTSD
PCKFDUFNCFEBQQMFU NFEJBTSD WJEFPDBOWBT GPOUTSD !GPOUGBDF TUZMFTSD TUZMFDTT GSBNFTSD JGSBNF
$41ͷઃఆํ๏ add_header Content-Security-Policy default-src ‘self’; αʔόଆͰϨεϙϯεϔομʹʮ$POUFOU4FDVSJUZ1PMJDZʯΛग़ྗ͢ΔઃఆΛه͢Δ NFUBλάʹIUUQFRVJWଐੑΛ༻ͯ͠ઃఆ͢Δ͜ͱग़དྷ·͢ɻ
ɾ֎෦ͷ+BWB4DSJQUͷಡΈࠐΈ ɾ)5.-ʹهड़ͨ͠TDSJQUTDSJQUͷ+BWB4DSJQU ɾΠϕϯτଐੑ POMPBEYYYYͳͲ ͜ͷઃఆʹΑΓҎԼ͕ېࢭ͞ΕΔ
ݫ͗ͯ͑͢͠ͳ͍
)5.-ʹهड़ͨ͠TDSJQUϒϩοΫ࣮ߦ͞Εͳ͍ͷͰ֎෦ͷTDSJQUʹΓग़͢ $41ͷઃఆํ๏ʢ(PPHMF"OBMZUJDTΛڐՄ͢Δ߹ʣ
Γग़ͨ͠TDSJQUΛHBKTͳͲͰอଘ )5.-ͷιʔεʹ֎෦εΫϦϓτͱͯ͠ಡΈࠐΉ $41ͷઃఆํ๏ʢ(PPHMF"OBMZUJDTΛڐՄ͢Δ߹ʣ
add_header Content-Security-Policy default-src ‘none’; script-src ‘self’ www.google-analytics.com; img-src www.google-analytics.com; JavaScriptશͯ*.jsϑΝΠϧʹهड़ͯ͠֎෦ͷscriptͱͯ͠ಡΈࠐΈɺ
Մม͢ΔHTMLଆʹدͤΔͳͲίʔυͱσʔλΛ͢Δඞཁ͕͋Δ $41ͷઃఆํ๏ʢ(PPHMF"OBMZUJDTΛڐՄ͢Δ߹ʣ
ͦͷଞͷઃఆํ๏ OPODF OPODFͷͳ͍TDSJQUλά࣮ߦ͠ͳ͍Α͏ʹ͢Δ͜ͱ͕Ͱ͖Δ // nonce-base64ͷ add_header Content-Security-Policy script-src ‘nonce-2726c7f26c’;
ͦͷଞͷઃఆํ๏ IBTI 4)"ͰϋογϡԽͨ͠TDSJQUΛڐՄ͢Δ add_header Content-Security-Policy script-src ‘sha256-gPMJwWBMWDx0Cm7ZygJKZIU2vZpiYvzUQjl5Rh37hKs=';
ࠔͬͨ࣌ͷઃఆํ๏ FWBMΛΘͳ͍ͱ͍͚ͳ͍߹ɺVOTBGFFWBMΦϓγϣϯΛه͢Δ add_header Content-Security-Policy script-src ‘unsafe-eval’; ΠϯϥΠϯཁૉΛΘͳ͍ͱ͍͚ͳ͍߹ɺVOTBGFJOMJOFΦϓγϣϯΛه͢Δ add_header Content-Security-Policy script-src
‘unsafe-inline’;
Ϩϙʔτϩάͷૹ৴ SFQPSUVSJΦϓγϣϯΛه͢Δ͜ͱͰϨϙʔτΛҙͷ63-ʹKTPOͰ1045͢Δ͜ͱ͕Ͱ͖Δ add_header Content-Security-Policy default-src ‘self'; report-uri http://example.test/collector.js; +40/ܗࣜͰϨϙʔτ༰͕ҎԼͷΑ͏ͳ༰Ͱ1045͞ΕΔ
·ͱΊ w 8FCαΠτΛ҆શʹߏங͢Δͷ͍͠͠ɺ$41͕શͯΛղܾ͢ΔͷͰͳ͍ w $41Λ༻͍࣮ͯߦΛڐՄ͢ΔϦιʔεΛదʹઃఆ͢Δ͜ͱͰࠓΑΓηΩϡΞ ˠ$41ͷಋೖ࣌ɺ෭࣍తʹ)5.-ɺ+BWB4DSJQUɺ$44ͷʹͭͳ͕Δ w ֎෦ϦιʔεΛࢦఆ͢Δͱ͖VOTBGFJOMJOF VOTBGFFWBMΛ͏͖͔͖ͪΜͱߟ͑Δ ˠ944͕ޭ͢ΔڪΕ͕͋ΔͨΊIBTIOPODFͷ׆༻Λݕ౼͢Δ
w ϨϙʔτϩάͳͲΛऩूͯ͠߈ܸͷରࡦཱ͕ͯΒΕΔͱߋʹΑͦ͞͏
ࢀߟࢿྉ w$POUFOU4FDVSJUZ1PMJDZ $41 )551c.%/ IUUQTEFWFMPQFSNP[JMMBPSHKBEPDT8FC)551$41 w$POUFOU4FDVSJUZ1PMJDZ-FWFM IUUQTEFWFMPQFSNP[JMMBPSHKBEPDT8FC)551$41 wฐࣾͷϗʔϜϖʔδʹ$POUFOU4FDVSJUZ1PMJDZ $41 Λಋೖ͠·ͨ͠
IUUQCMPHFHTFDVSFDPKQ$POUFOU4FDVSJUZ1PMJDZ$41IUNM )"4)ίϯαϧςΟϯάΦϑΟγϟϧϒϩά