$30 off During Our Annual Pro Sale. View Details »
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Rails meets Content Security Policy
Search
Yuichi Takeuchi
April 25, 2018
Programming
1
680
Rails meets Content Security Policy
Shinjuku.rb #60
Rails 5.2でサポートしたCSPってなんなん?Railsがサポートってどういうこと?という話
Yuichi Takeuchi
April 25, 2018
Tweet
Share
More Decks by Yuichi Takeuchi
See All by Yuichi Takeuchi
現実のRuby/Railsアップグレード外伝 ~そして僕はforkした~
takeyuweb
0
680
現実のRuby/Railsアップグレード
takeyuweb
4
12k
Shinjuku.rb #95 LT会!心の技術書を紹介しよう!
takeyuweb
0
75
リモートワークへの招待
takeyuweb
2
530
OSSにみるレールの外側
takeyuweb
0
220
Rails受託会社を作っている話
takeyuweb
0
130
社長が書いたクソコードたち
takeyuweb
0
1.9k
Rails 考古学:WebAPIを取り巻く環境の変化とRailsの対応について
takeyuweb
0
100
Rubyで Amazon CloudWatch Events 定期ジョブを書けるやつ作った話
takeyuweb
0
620
Other Decks in Programming
See All in Programming
AIの誤りが許されない業務システムにおいて“信頼されるAI” を目指す / building-trusted-ai-systems
yuya4
6
3.7k
UIデザインに役立つ 2025年の最新CSS / The Latest CSS for UI Design 2025
clockmaker
18
7.5k
新卒エンジニアのプルリクエスト with AI駆動
fukunaga2025
0
230
AIエージェントを活かすPM術 AI駆動開発の現場から
gyuta
0
430
バックエンドエンジニアによる Amebaブログ K8s 基盤への CronJobの導入・運用経験
sunabig
0
160
Socio-Technical Evolution: Growing an Architecture and Its Organization for Fast Flow
cer
PRO
0
360
Integrating WordPress and Symfony
alexandresalome
0
160
SwiftUIで本格音ゲー実装してみた
hypebeans
0
410
AI時代を生き抜く 新卒エンジニアの生きる道
coconala_engineer
1
280
ViewファーストなRailsアプリ開発のたのしさ
sugiwe
0
490
從冷知識到漏洞,你不懂的 Web,駭客懂 - Huli @ WebConf Taiwan 2025
aszx87410
2
2.7k
認証・認可の基本を学ぼう後編
kouyuume
0
240
Featured
See All Featured
ReactJS: Keep Simple. Everything can be a component!
pedronauck
666
130k
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
tammyeverts
10
730
Building Adaptive Systems
keathley
44
2.9k
How to Think Like a Performance Engineer
csswizardry
28
2.4k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
162
16k
What’s in a name? Adding method to the madness
productmarketing
PRO
24
3.8k
BBQ
matthewcrist
89
9.9k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
194
17k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
12
1.3k
Principles of Awesome APIs and How to Build Them.
keavy
127
17k
The Power of CSS Pseudo Elements
geoffreycrofte
80
6.1k
Product Roadmaps are Hard
iamctodd
PRO
55
12k
Transcript
Rails meets Content Security Policy 竹内雄一 Takeyu Web Inc.
@takeyuweb 2008年〜フリーランス 2016年 法人成り Rails 1.1〜 Saitama.rb主宰
Takeyu Web Inc.
Rails 5.2 Content Security Policy config/initializers/ content_security_policy.rb Rails.application.config.content_security_policy do |policy|
policy.default_src :self, :https policy.font_src :self, :https, :data policy.img_src :self, :https, :data policy.object_src :none policy.script_src :self, :https policy.style_src :self, :https # Specify URI for violation reports policy.report_uri "/csp-violation-report-endpoint" end
Rails 5.2 Content Security Policy Override policy inline class PostsController
< ApplicationController content_security_policy do |p| p.upgrade_insecure_requests true end end
Rails 5.2 Content Security Policy https://speakerdeck.com/yyagi/ rails-5-dot-2-part1?slide=23 http://guides.rubyonrails.org/ security.html#content-security-policy
What’s CSP? IPA ISEC セキュア・プログラミング講 座より Content Security Policy は、スク リプトのロードと実行等に強い制
約を設ける機能 https://www.ipa.go.jp/security/ awareness/vendor/programmingv2/ contents/705.html
HTTP Header GET /index.html Host: test.host HTTP/1.1 200 OK Content-Security-Policy:
default-src 'self'
default-src ‘self’ <script>alert("実 行 さ れ な い ");</script> <script
src="実 行 さ れ る .js"></script> <script src="://test.host/scripts/実 行 さ れ る .js"></script> <script src="://blocked.host/scripts/実 行 さ れ な い .js"></script>
script-src ‘https:’ <script src="http://test.host/scripts/さ れ な い .js"></script> <script src="https://test.host/scripts/実
行 さ れ る .js"></script> <script src="https://xxx.host/scripts/実 行 さ れ る .js"></script>
script-src ‘self’ ‘unsafe- inline’ <script>alert("実行される");</script>
script-src ‘nonce- xxxxxxxxxxxxxx’ nonce: number used once <script>alert("実行されない");</script> <script nonce="xxxxxxxxxxxxxx">alert("実行される");</script>
report-uri /csp-report ブロックしたとき、CSPレポートを送信 する POST /csp-report { "csp-report": { "blocked-uri":
"self", "document-uri": "http://localhost:3000/", "original-policy": "script-src ...", "referrer": "", "script-sample": "onclick attribute on A element", "source-file": "http://localhost:3000/", "violated-directive": "script-src" } }
Directives base-uri child-src connect-src default-src font-src form- action frame-ancestors frame-
src img-src manifest-src media- src object-src script-src style- src worker-src
Content-Security-Policy- Report-Only Report Only Content-Security-Policy-Report-Only: default-src https: report-to https://test.host/csp-report
Supported browsers ブラウザー実装状況 Content Security Policy (CSP) - HTTP MDN
Rails integration config/initializers/ content_security_policy.rb Rails.application.config.content_security_policy do |policy| policy.default_src :self, :https
policy.font_src :self, :https, :data policy.img_src :self, :https, :data policy.object_src :none policy.script_src :self, :https policy.style_src :self, :https # Specify URI for violation reports policy.report_uri "/csp-violation-report-endpoint" end
Rails integration Override policy inline class PostsController < ApplicationController content_security_policy
do |p| p.upgrade_insecure_requests true end end
Rails integration <%= javascript_tag do %> alert('Without nonce'); <% end
%> <%= javascript_tag nonce: true do %> alert('With nonce'); <% end %>
Supported directives actionpack/lib/action_dispatch/http/ content_security_policy.rb
Enjoy Secure Programing!
_2.jpg){kind=avatar}
_2.jpg){kind=small}
_2.jpg){kind=avatar}
takeyuweb
yuya4
clockmaker
fukunaga2025
gyuta
sunabig
cer
alexandresalome
hypebeans
coconala_engineer
sugiwe
aszx87410
kouyuume
pedronauck
tammyeverts
keathley
csswizardry
sstephenson
productmarketing
matthewcrist
afnizarnur
keavy
geoffreycrofte
iamctodd
