Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Introduction: Content Security Policy (CSP) - ゼロから始めるセキュリティ勉強会 #14

333 views

Published on

喋りベースなので文脈が飛んでいるところなどありますが、参考になれば嬉しいです。間違いやご意見等あればぜひ @lmt_swallow にお伝え下さい!m(__)m

[訂正]
p.8 は誤りなので (GET ∧ 普通の req なのでプリフライトリクエストは飛ばない) 読み飛ばしてください………! (thanks: @xrekkusu)

Published in: Internet
  • Be the first to comment

Introduction: Content Security Policy (CSP) - ゼロから始めるセキュリティ勉強会 #14

  1. 1. Introduction: 
 Content Security Policy CSP - #14 Takashi Yoneuchi @lmt_swallow, https://shift-js.info
  2. 2. © 2018 shift-js.info All Rights Reserved. Outline ‣ ‣ ‣ ‣ ‣ ‣ ‣
  3. 3. What’s “CSP” ?
  4. 4. © 2018 shift-js.info All Rights Reserved. CSP: Content Security Policy ‣ ‣ 2010 First Proposed 2012 2016 W3C CR: CSP 1.0 W3C REC: CSP Lv. 2 2018 W3C WD: CSP Lv. 3
  5. 5. © 2018 shift-js.info All Rights Reserved. What does CSP enable us to do? 
 

  6. 6. © 2018 shift-js.info All Rights Reserved. Umm, is it something like SOP (Same-Origin Policy) ? ‣ ‣ ‣ ‣ ‣ ‣
  7. 7. © 2018 shift-js.info All Rights Reserved. If SOP were enabled but CSP were not?
  8. 8. © 2018 shift-js.info All Rights Reserved. Is SOP enough for protecting our important information ? ‣ 

  9. 9. © 2018 shift-js.info All Rights Reserved. So, What's the role of CSP ? ‣ ‣ ‣ ‣
  10. 10. © 2018 shift-js.info All Rights Reserved. If CSP were correctly configured?
  11. 11. e.g. Twitter
  12. 12. © 2018 shift-js.info All Rights Reserved. e.g. Chrome Extension ‣
  13. 13. How can I use CSP ?
  14. 14. © 2018 shift-js.info All Rights Reserved. 0. NOTE ‣ ‣ ‣
  15. 15. © 2018 shift-js.info All Rights Reserved. 1. Remove inline scripts & evals ‣ ‣ ‣ ‣ ‣ ‣ ‣ ‣
  16. 16. © 2018 shift-js.info All Rights Reserved. 1. Before
  17. 17. © 2018 shift-js.info All Rights Reserved. 1. After
  18. 18. © 2018 shift-js.info All Rights Reserved. 2. Add a HTTP Header ‣ ‣ ‣ ‣
  19. 19. © 2018 shift-js.info All Rights Reserved. e.g. ‣ 
 
 
 ‣ ‣ ‣
  20. 20. © 2018 shift-js.info All Rights Reserved. Tips: source-expression
  21. 21. © 2018 shift-js.info All Rights Reserved. Tips: directives (in part) ‣ ‣ ‣ ‣ ‣ ‣ ‣
  22. 22. © 2018 shift-js.info All Rights Reserved. Tips: keyword-source ‣ ‣ ‣ ‣ ‣ 
 

  23. 23. © 2018 shift-js.info All Rights Reserved. Tips: host-source ‣ ‣ ‣ ‣ ‣ ‣ 

  24. 24. © 2018 shift-js.info All Rights Reserved. Tips: (hash|nonce)-source ‣ ‣ ‣ ‣ ‣ ‣ ‣
  25. 25. © 2018 shift-js.info All Rights Reserved. e.g. Add a HTTP Header ‣ 
 
 
 ‣ ‣ ‣
  26. 26. The problems around CSP
  27. 27. © 2018 shift-js.info All Rights Reserved. ‣ ‣ ‣
  28. 28. © 2018 shift-js.info All Rights Reserved. ? ‣ ‣ ‣
  29. 29. Conclusion
  30. 30. © 2018 shift-js.info All Rights Reserved. If SOP were enabled but CSP were not? 

  31. 31. © 2018 shift-js.info All Rights Reserved. Conclusion ‣ ‣ ‣ ‣
  32. 32. © 2018 shift-js.info All Rights Reserved. References ‣ 
 
 ‣ 
 
 ‣ 
 

  33. 33. © 2018 shift-js.info All Rights Reserved. References ‣ 
 
 ‣ 
 
 ‣ 
 

  34. 34. Thank you for listening :-) Any Questions? @lmt_swallow https://shift-js.info

×