[B! csp] ama-chã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

ama-ch id:ama-ch

cspã«é–¢ã™ã‚‹ama-chã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯ (6)

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

${{author_name}}$
{{author_name}}{{created}}
{{ #comment }}{{ comment }}{{ /comment }}
- {{ label }}

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

Integrity protection for third-party JavaScript
Modern web applications depend on a lot of auxiliary scripts which are often hosted on third-party CDNs. Should an attacker be able to tamper with the fâ€¦
ama-ch 2015/06/16
security

slide

csp

hsts

sri
ãƒªãƒ³ã‚¯
ãã‚ãã‚CSP Lv.2 nonceã‚„ã‚ã† - teppeis blog
tl;dr CSP Lv.2ã®nonceã‚’ä½¿ã†ã¨æ„å¤–ã¨ç°¡å˜ã«CSPã®æ©æµã‚’å—ã‘ã‚Œã‚‹ã‚ˆ Firefoxã¯unsafe-inlineã¨ã®æŒ™å‹•ãŒãŠã‹ã—ã„ã®ã§æ³¨æ„ ã‚µãƒ³ãƒ—ãƒ«å®Ÿè£…ã¨ã—ã¦Expressã§ç°¡å˜ã«nonceå¯¾å¿œã§ãã‚‹connectãƒ—ãƒ©ã‚°ã‚¤ãƒ³ã‚’æ›¸ã„ãŸï¼ˆãƒ‡ãƒ¢ã‚ã‚Šï¼‰ Violation Reportã‚‚ãƒ–ãƒ©ã‚¦ã‚¶ã«ã‚ˆã£ã¦ç´°ã‹ã„æŒ™å‹•ã®å·®ç•°ãŒã‚ã‚‹ã‚ˆ CSP Lv.2 nonceã®ç™»å ´ã¨èƒŒæ™¯ CSPã®ç‰¹ã«unsafe-inlineã¯XSSã«å¯¾ã—ã¦æœ€çµ‚é˜²è¡›ç·šçš„ã«å¼·åŠ›ãªåŠ¹æžœãŒã‚ã‚‹ã€‚ ã—ã‹ã—ç‰¹ã«ã‚µãƒ¼ãƒãƒ¼ã‹ã‚‰ã®å€¤ã®å—ã‘æ¸¡ã—éƒ¨åˆ†ãªã©ã§ã©ã†ã—ã¦ã‚‚inline scriptã‚’ä½¿ã„ãŸããªã‚‹ã¨ã“ã‚ãŒã‚ã‚Šã€unsafe-inlineã‚’ç¦æ¢ã™ã‚‹ã¨DOM dataç‰ã‚’ä½¿ã‚ã–ã‚‹ã‚’å¾—ãšã€ã¤ã‚‰ã„æ„Ÿã˜ã ã£ãŸã€‚ @kazuho ã§ã™ãã€‚ã‹ã¨ã„ã£ã¦DOM dataã‹ãƒ¼ã€ã€ã¨ã„ã†æ„Ÿã˜ã§ã¯ã‚ã‚‹ã‚“ã§ã™ãŒã€CSPã§inline scriptç¦æ¢ã—ã¡
ama-ch 2014/11/12
csp
ãƒªãƒ³ã‚¯
BSidesLA Managing Content Security Policy
Talks about how to succeed at CSP. Tips on applying policies, managing reports, and managing a project. It also talks about CSP level 2 features such asâ€¦
ama-ch 2014/11/09
csp

slide
ãƒªãƒ³ã‚¯
Introducing Content Security Policy - MDC Doc Center
HTTP ã‚¬ã‚¤ãƒ‰ HTTP ã®æ¦‚è¦ å…¸åž‹çš„ãª HTTP ã‚»ãƒƒã‚·ãƒ§ãƒ³ HTTP ãƒ¡ãƒƒã‚»ãƒ¼ã‚¸ MIME ã‚¿ã‚¤ãƒ—ï¼ˆIANA ãƒ¡ãƒ‡ã‚£ã‚¢ç¨®åˆ¥ï¼‰ HTTP ã®åœ§ç¸® HTTP ã‚ãƒ£ãƒƒã‚·ãƒ¥ HTTP èªè¨¼ HTTP Cookie ã®ä½¿ç”¨ HTTP ã®ãƒªãƒ€ã‚¤ãƒ¬ã‚¯ãƒˆ HTTP æ¡ä»¶ä»˜ããƒªã‚¯ã‚¨ã‚¹ãƒˆ HTTP ç¯„å›²ãƒªã‚¯ã‚¨ã‚¹ãƒˆ ã‚³ãƒ³ãƒ†ãƒ³ãƒ„ãƒã‚´ã‚·ã‚¨ãƒ¼ã‚·ãƒ§ãƒ³ HTTP/1.x ã®ã‚³ãƒã‚¯ã‚·ãƒ§ãƒ³ç®¡ç† HTTP ã®é€²åŒ– ãƒ—ãƒãƒˆã‚³ãƒ«ã®ã‚¢ãƒƒãƒ—ã‚°ãƒ¬ãƒ¼ãƒ‰ã®ä»•çµ„ã¿ ãƒ—ãƒã‚ã‚·ã‚µãƒ¼ãƒãƒ¼ã¨ãƒˆãƒ³ãƒãƒªãƒ³ã‚° HTTP ã‚¯ãƒ©ã‚¤ã‚¢ãƒ³ãƒˆãƒ’ãƒ³ãƒˆ HTTP ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ ã‚µã‚¤ãƒˆã®å®‰å…¨åŒ– HTTP Observatory Permissions Policy ã‚³ãƒ³ãƒ†ãƒ³ãƒ„ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ãƒãƒªã‚·ãƒ¼ (CSP) ã‚ªãƒªã‚¸ãƒ³é–“ãƒªã‚½ãƒ¼ã‚¹å…±æœ‰ (CORS) Cross-Origin Resource Policy (CORP) Strict-Transport-Securit
ama-ch 2014/11/09
security

csp
ãƒªãƒ³ã‚¯
CSP Lv.2ã®è©±
#ssmjp 2014/10 XSSã®é‹ç”¨ã®è©± é–“é•ã„ãªã©ã‚ã‚Šã¾ã—ãŸã‚‰ @yagihashoo ã¾ã§ã€‚ ## 10/28 9:26è¿½è¨˜ nonce-valueã€è¦æ ¼ä¸Šã¯Base64ã ã‚ˆï¼ã¨ã„ã†æŒ‡æ‘˜ã‚’ã„ãŸã ã„ãŸã®ã§ã‚¹ãƒ©ã‚¤ãƒ‰18-19ã‚’ä¿®æ£ã—ã¾ã—ãŸã€‚ è©³ç´°ã¯ä»¥ä¸‹ã‚’ã”è¦§ãã ã•ã„ã€‚ http://www.w3.org/TR/CSP2/#source-list-valid-nonces ## 10/29 15:00è¿½è¨˜ Path matchingã®ä¾‹ç¤ºã«ã¤ã„ã¦é–“é•ã„ãŒã‚ã£ãŸãŸã‚ã‚¹ãƒ©ã‚¤ãƒ‰14ã‚’ä¿®æ£ã—ã¾ã—ãŸã€‚Read less
ama-ch 2014/10/29
csp

xss

slide
ãƒªãƒ³ã‚¯
å¼Šç¤¾ã®ãƒ›ãƒ¼ãƒ ãƒšãƒ¼ã‚¸ã«Content Security Policy(CSP)ã‚’å°Žå…¥ã—ã¾ã—ãŸ
å¼Šç¤¾ã®ãƒ›ãƒ¼ãƒ ãƒšãƒ¼ã‚¸ã«CSP(Content Security Policy)ã‚’å°Žå…¥ã—ã¾ã—ãŸã€‚CSPã«ã¤ã„ã¦ã¯ã€ã¯ã›ãŒã‚ã‚ˆã†ã™ã‘æ°ã®ã‚¹ãƒ©ã‚¤ãƒ‰ã€Œ5åˆ†ã§ã‚ã‹ã‚‹CSPã€ãŒã‚ã‹ã‚Šã‚„ã™ã„ã¨æ€ã„ã¾ã™ã€‚ä»¥ä¸‹ã«ã‚¹ãƒ©ã‚¤ãƒ‰ã®ä¸€éƒ¨ã‚’å¼•ç”¨ã—ã¾ã™ã€‚ å…·ä½“çš„ã«ã¯ã€ä»¥ä¸‹ã®ã‚ˆã†ã«æŒ‡å®šã—ã¦ä½¿ã„ã¾ã™ã€‚ Content-Security-Policy: default-src 'self' ã“ã®çµæžœã€ä»¥ä¸‹ã®ã‚ˆã†ã«JavaScriptã®è¨˜è¿°ãŒåˆ¶é™ã•ã‚Œã¾ã™ã€‚ å¤–éƒ¨ã®JavaScriptã®èªã¿è¾¼ã¿ã¯ç¦æ¢ HTMLã‚½ãƒ¼ã‚¹ã«è¨˜è¿°ã—ãŸ<script>...</script>ã®JavaScriptã¯ç¦æ¢ ã‚¤ãƒ™ãƒ³ãƒˆå±žæ€§(onload="xxxx"ãªã©)ã¯ç¦æ¢ ä½•ã‚‚æ›¸ã‘ãªããªã‚‹ã˜ã‚ƒãªã„ã‹ã¨æ€ã‚ã‚Œã‚‹ã‹ã‚‚ã—ã‚Œã¾ã›ã‚“ãŒã€JavaScriptã¯å…¨ã¦*.jsãƒ•ã‚¡ã‚¤ãƒ«ã«è¨˜è¿°ã™ã‚Œã°ã‚ˆã„ã€ã¨ã„ã†ã“ã¨ã§ã™ã€‚ CSPã¯ã€JavaScriptã®ã‚³ãƒ¼ãƒ‰ã¨ãƒ‡ãƒ¼ã‚¿ã‚’åˆ†é›¢ã—ã¦
ama-ch 2013/12/08
security

csp
ãƒªãƒ³ã‚¯
1