[B! csp] ama-chã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

ama-ch id:ama-ch

cspã«é–¢ã™ã‚‹ama-chã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯ (6)

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

${{author_name}}$
{{author_name}}{{created}}
{{ #comment }}{{ comment }}{{ /comment }}
- {{ label }}

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

Integrity protection for third-party JavaScript
Modern web applications depend on a lot of auxiliary scripts which are often hosted on third-party CDNs. Should an attacker be able to tamper with the fâ€¦
ama-ch 2015/06/16
security

slide

csp

hsts

sri
ãƒªãƒ³ã‚¯
ãã‚ãã‚CSP Lv.2 nonceã‚„ã‚ã† - teppeis blog
tl;dr CSP Lv.2ã®nonceã‚’ä½¿ã†ã¨æ„å¤–ã¨ç°¡å˜ã«CSPã®æ©æµã‚’å—ã‘ã‚Œã‚‹ã‚ˆ Firefoxã¯unsafe-inlineã¨ã®æŒ™å‹•ãŒãŠã‹ã—ã„ã®ã§æ³¨æ„ ã‚µãƒ³ãƒ—ãƒ«å®Ÿè£…ã¨ã—ã¦Expressã§ç°¡å˜ã«nonceå¯¾å¿œã§ãã‚‹connectãƒ—ãƒ©ã‚°ã‚¤ãƒ³ã‚’æ›¸ã„ãŸï¼ˆãƒ‡ãƒ¢ã‚ã‚Šï¼‰ Violation Reportã‚‚ãƒ–ãƒ©ã‚¦ã‚¶ã«ã‚ˆã£ã¦ç´°ã‹ã„æŒ™å‹•ã®å·®ç•°ãŒã‚ã‚‹ã‚ˆ CSP Lv.2 nonceã®ç™»å ´ã¨èƒŒæ™¯ CSPã®ç‰¹ã«unsafe-inlineã¯XSSã«å¯¾ã—ã¦æœ€çµ‚é˜²è¡›ç·šçš„ã«å¼·åŠ›ãªåŠ¹æžœãŒã‚ã‚‹ã€‚ ã—ã‹ã—ç‰¹ã«ã‚µãƒ¼ãƒãƒ¼ã‹ã‚‰ã®å€¤ã®å—ã‘æ¸¡ã—éƒ¨åˆ†ãªã©ã§ã©ã†ã—ã¦ã‚‚inline scriptã‚’ä½¿ã„ãŸããªã‚‹ã¨ã“ã‚ãŒã‚ã‚Šã€unsafe-inlineã‚’ç¦æ¢ã™ã‚‹ã¨DOM dataç‰ã‚’ä½¿ã‚ã–ã‚‹ã‚’å¾—ãšã€ã¤ã‚‰ã„æ„Ÿã˜ã ã£ãŸã€‚ @kazuho ã§ã™ãã€‚ã‹ã¨ã„ã£ã¦DOM dataã‹ãƒ¼ã€ã€ã¨ã„ã†æ„Ÿã˜ã§ã¯ã‚ã‚‹ã‚“ã§ã™ãŒã€CSPã§inline scriptç¦æ¢ã—ã¡
ama-ch 2014/11/12
csp
ãƒªãƒ³ã‚¯
BSidesLA Managing Content Security Policy
Talks about how to succeed at CSP. Tips on applying policies, managing reports, and managing a project. It also talks about CSP level 2 features such asâ€¦
ama-ch 2014/11/09
csp

slide
ãƒªãƒ³ã‚¯
Introducing Content Security Policy - MDC Doc Center
ã“ã®ãƒšãƒ¼ã‚¸ã¯ã‚³ãƒŸãƒ¥ãƒ‹ãƒ†ã‚£ãƒ¼ã®å°½åŠ›ã§è‹±èªžã‹ã‚‰ç¿»è¨³ã•ã‚Œã¾ã—ãŸã€‚MDN Web Docs ã‚³ãƒŸãƒ¥ãƒ‹ãƒ†ã‚£ãƒ¼ã«ã¤ã„ã¦ã‚‚ã£ã¨çŸ¥ã‚Šã€ä»²é–“ã«ãªã‚‹ã«ã¯ã“ã¡ã‚‰ã‹ã‚‰ã€‚ Pï¿½ ï¿½View in English ï¿½ï¿½ï¿½Always switch to English ã‚³ãƒ³ãƒ†ãƒ³ãƒ„ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ãƒãƒªã‚·ãƒ¼ (CSP) ã¯ã€ç‰¹å®šã®ç¨®é¡žã®ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£è„…å¨ã®ãƒªã‚¹ã‚¯ã‚’é˜²æ¢ã¾ãŸã¯æœ€å°é™ã«æŠ‘ãˆã‚‹ã®ã«å½¹ç«‹ã¤æ©Ÿèƒ½ã§ã™ã€‚ã“ã‚Œã¯ã€ã‚¦ã‚§ãƒ–ã‚µã‚¤ãƒˆã‹ã‚‰ãƒ–ãƒ©ã‚¦ã‚¶ãƒ¼ã¸ã®ä¸€é€£ã®æŒ‡ç¤ºã§æ§‹æˆã•ã‚Œã¦ãŠã‚Šã€ã‚µã‚¤ãƒˆã‚’æ§‹æˆã™ã‚‹ã‚³ãƒ¼ãƒ‰ãŒå®Ÿè¡Œã§ãã‚‹ã“ã¨ã‚’åˆ¶é™ã™ã‚‹ã‚ˆã†ã«ãƒ–ãƒ©ã‚¦ã‚¶ãƒ¼ã«æŒ‡ç¤ºã—ã¾ã™ã€‚ CSP ã®ä¸»ãªç”¨é€”ã¯ã€æ–‡æ›¸ãŒèªã¿è¾¼ã‚€ã“ã¨ã‚’è¨±å¯ã™ã‚‹ãƒªã‚½ãƒ¼ã‚¹ã€ç‰¹ã« JavaScript ãƒªã‚½ãƒ¼ã‚¹ã‚’åˆ¶å¾¡ã™ã‚‹ã“ã¨ã§ã™ã€‚ã“ã‚Œã¯ä¸»ã«ã€æ”»æ’ƒè€…ãŒè¢«å®³è€…ã®ã‚µã‚¤ãƒˆã«æ‚ªæ„ã®ã‚ã‚‹ã‚³ãƒ¼ãƒ‰ã‚’æ³¨å…¥ã™ã‚‹ã‚¯ãƒã‚¹ã‚µã‚¤ãƒˆã‚¹ã‚¯ãƒªãƒ—ãƒ†ã‚£ãƒ³ã‚° (XSS) æ”»æ’ƒã«å¯¾ã™ã‚‹é˜²å¾¡ã¨ã—ã¦ä½¿ç”¨ã•ã‚Œã¾ã™ã€‚ CSP ã«ã¯ä»–ã«ã‚‚ã€ã‚¯
ama-ch 2014/11/09
security

csp
ãƒªãƒ³ã‚¯
CSP Lv.2ã®è©±
#ssmjp 2014/10 XSSã®é‹ç”¨ã®è©± é–“é•ã„ãªã©ã‚ã‚Šã¾ã—ãŸã‚‰ @yagihashoo ã¾ã§ã€‚ ## 10/28 9:26è¿½è¨˜ nonce-valueã€è¦æ ¼ä¸Šã¯Base64ã ã‚ˆï¼ã¨ã„ã†æŒ‡æ‘˜ã‚’ã„ãŸã ã„ãŸã®ã§ã‚¹ãƒ©ã‚¤ãƒ‰18-19ã‚’ä¿®æ£ã—ã¾ã—ãŸã€‚ è©³ç´°ã¯ä»¥ä¸‹ã‚’ã”è¦§ãã ã•ã„ã€‚ http://www.w3.org/TR/CSP2/#source-list-valid-nonces ## 10/29 15:00è¿½è¨˜ Path matchingã®ä¾‹ç¤ºã«ã¤ã„ã¦é–“é•ã„ãŒã‚ã£ãŸãŸã‚ã‚¹ãƒ©ã‚¤ãƒ‰14ã‚’ä¿®æ£ã—ã¾ã—ãŸã€‚
ama-ch 2014/10/29
csp

xss

slide
ãƒªãƒ³ã‚¯
å¼Šç¤¾ã®ãƒ›ãƒ¼ãƒ ãƒšãƒ¼ã‚¸ã«Content Security Policy(CSP)ã‚’å°Žå…¥ã—ã¾ã—ãŸ
å¼Šç¤¾ã®ãƒ›ãƒ¼ãƒ ãƒšãƒ¼ã‚¸ã«CSP(Content Security Policy)ã‚’å°Žå…¥ã—ã¾ã—ãŸã€‚CSPã«ã¤ã„ã¦ã¯ã€ã¯ã›ãŒã‚ã‚ˆã†ã™ã‘æ°ã®ã‚¹ãƒ©ã‚¤ãƒ‰ã€Œ5åˆ†ã§ã‚ã‹ã‚‹CSPã€ãŒã‚ã‹ã‚Šã‚„ã™ã„ã¨æ€ã„ã¾ã™ã€‚ä»¥ä¸‹ã«ã‚¹ãƒ©ã‚¤ãƒ‰ã®ä¸€éƒ¨ã‚’å¼•ç”¨ã—ã¾ã™ã€‚ å…·ä½“çš„ã«ã¯ã€ä»¥ä¸‹ã®ã‚ˆã†ã«æŒ‡å®šã—ã¦ä½¿ã„ã¾ã™ã€‚ Content-Security-Policy: default-src 'self' ã“ã®çµæžœã€ä»¥ä¸‹ã®ã‚ˆã†ã«JavaScriptã®è¨˜è¿°ãŒåˆ¶é™ã•ã‚Œã¾ã™ã€‚ å¤–éƒ¨ã®JavaScriptã®èªã¿è¾¼ã¿ã¯ç¦æ¢ HTMLã‚½ãƒ¼ã‚¹ã«è¨˜è¿°ã—ãŸ<script>...</script>ã®JavaScriptã¯ç¦æ¢ ã‚¤ãƒ™ãƒ³ãƒˆå±žæ€§(onload="xxxx"ãªã©)ã¯ç¦æ¢ ä½•ã‚‚æ›¸ã‘ãªããªã‚‹ã˜ã‚ƒãªã„ã‹ã¨æ€ã‚ã‚Œã‚‹ã‹ã‚‚ã—ã‚Œã¾ã›ã‚“ãŒã€JavaScriptã¯å…¨ã¦*.jsãƒ•ã‚¡ã‚¤ãƒ«ã«è¨˜è¿°ã™ã‚Œã°ã‚ˆã„ã€ã¨ã„ã†ã“ã¨ã§ã™ã€‚ CSPã¯ã€JavaScriptã®ã‚³ãƒ¼ãƒ‰ã¨ãƒ‡ãƒ¼ã‚¿ã‚’åˆ†é›¢ã—ã¦
ama-ch 2013/12/08
security

csp
ãƒªãƒ³ã‚¯
1