Your SlideShare is downloading. ×
0
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Firefox Security Features
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Firefox Security Features

6,641

Published on

Mozilla 勉強会@東京 6th …

Mozilla 勉強会@東京 6th
後半のセキュリティ機能紹介スライド

Published in: Technology, News & Politics
0 Comments
9 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
6,641
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
19
Comments
0
Likes
9
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Security FeaturesSlides @ Mozilla Workshop @ Tokyo 6th by Tomoya ASAI (dynamis) last update on 2011.10.01 see also: http://dynamis.jp/r
  • 2. Tomoya ASAI (dynamis) Mozilla Japan - Technical mktg. http://dynamis.jp/ http://facebook.com/dynamis http://twitter.com/dynamitter dynamis@mozilla-japan.orgdynamis ( dunamis)
  • 3. Agenda about:Mozilla Content Security Policy Security Privacy latest topic
  • 4. Facebook Twitter
  • 5. about:mozilla.com brain .org heart
  • 6. http://www.flickr.com/photos/intothefuzz/5577427601/
  • 7. http://www.flickr.com/photos/intothefuzz/5578011308/
  • 8. : http://www.mozilla.org/about/manifesto.ja.html
  • 9. http://www.flickr.com/photos/intothefuzz/5577430083/
  • 10. CSPContent Security Policy
  • 11. https://developer.mozilla.org/ja/Introducing_Content_Security_Policy
  • 12. CSS
  • 13. <!-- インラインCSSは最新仕様では適用されない(未実装) --><style> body { font-size: 200%; } </style><p style="font-size: 200%;">I love lesser panda!</p><!-- インラインJavaScriptは実行されない(実装済み) --><script> alert("inline script"); </script><p onclick="alert(inline script)">Red panda!</p><!-- 外部 CSS, JavaScript はデフォルト許可 --><link rel="stylesheet" href="external.css"/><script src="external.js"></script> https://developer.mozilla.org/en/Security/CSP/Using_Content_Security_Policy
  • 14. /* これらを実行するとエラー(それ以降のコードも無視) */eval("alert(☺)");// call to eval("alert(☺)") blocked by CSPnew Function("alert(☺)");// call to Function() blocked by CSPsetTimeout("alert(☺)", 0);setInterval("alert(☺)", 0);// call to setTimeout/setInterval blocked by CSP<!-- data: URL も無視される --><img id="dataimg" src="data:image/png;base64,AAAB ..."/>
  • 15. // httpd.conf, .htaccess の Header ディレクティブを使うHeader always append X-Content-Security-Policy "default-src self"// ポリシーファイルを使用する場合 AddType も忘れずにAddType "text/x-content-security-policy" .cspHeader always append X-Content-Security-Policy "policy-uri /csp/policy.csp"
  • 16. // 全コンテンツを同一ドメインのみ (サブドメインも不可)X-Content-Security-Policy: default-src self// 自身と dynamis.jp のサブドメインのみ許可X-Content-Security-Policy: default-src self *.dynamis.jp// secure.mozilla.jp からの読み込みは HTTPS のみX-Content-Security-Policy: default-src https://secure.mozilla.jp/ https://developer.mozilla.org/en/Security/CSP/Using_Content_Security_Policy
  • 17. // 画像は任意サイト、メディアファイルと JS は指定サイトに限定X-Content-Security-Policy: default-src self; img-src *; (実際は改行なし) media-src video.tld audio.tld; (実際は改行なし) script-src script.tld;// 自身と *.mail.jp は全許可、他サイトは画像のみに制限// スクリプトなど指定していないものは default-src と同じX-Content-Security-Policy: defaut-src self *.mail.jp; (実際は改行なし) img-src * https://developer.mozilla.org/en/Security/CSP/Using_Content_Security_Policy
  • 18. // ブラウザから違反レポートを受け取る URL を指定する// JSON 形式のレポートが届くのでサーバで処理するX-Content-Security-Policy: report-uri /csp/report// 違反レポートは送るが実行は実際にブロックしない場合// 既存サイトに必要なポリシーを調べるときに便利X-Content-Security-Policy-Report-Only: report-uri /csp/report https://developer.mozilla.org/en/Security/CSP/Using_Content_Security_Policy
  • 19. https://github.com/bsterne/bsterne-tools/tree/master/csp-bookmarklet
  • 20. Securitymore Secure Web...
  • 21. http://hacks.mozilla.org/2010/08/firefox-4-http-strict-transport-security-force-https/
  • 22. // 86400 秒はこのサイトに HTTP での接続を禁止Strict-Transport-Security: max-age=86400// 送信元サイトのサブドメインも HTTP 接続を禁止するStrict-Transport-Security: max-age=86400; includeSubdomains http://code.google.com/intl/ja/apis/webfonts/docs/getting_started.html
  • 23. // Apache の設定でサイト全体に設定する場合: Header always append X-Frame-Options SAMEORIGINFx 3.6.9 https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header
  • 24. http://blog.guya.net/2008/10/07/malicious-camera-spying-using-clickjacking/
  • 25. // dynamis.jp のページからはこのサイトの読み込み許可Access-Control-Allow-Origin: http://dynamis.jp// 任意サイトからの読み込みを許可 (公開 API などに)Access-Control-Allow-Origin: * https://developer.mozilla.org/en/http_access_control
  • 26. Privacymore Comfortable Web...
  • 27. https://developer.mozilla.org/en/The_Do_Not_Track_Field_Guide
  • 28. latest topichow about Amazon Silk?
  • 29. http://amazonsilk.wordpress.com/2011/09/28/introducing-amazon-silk/
  • 30. http://amazonsilk.wordpress.com/2011/09/28/introducing-amazon-silk/
  • 31. http://amazonsilk.wordpress.com/2011/09/28/introducing-amazon-silk/
  • 32. http://amazonsilk.wordpress.com/2011/09/28/introducing-amazon-silk/
  • 33. Amazon Silk FAQ : http://t.co/encBio73
  • 34. Any Question ?

×