Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
Функциональное программирование в браузере / Никита Прокопов
Next
Download to read offline and view in fullscreen.

0

Share

Download to read offline

"Content Security Policy" — Алексей Андросов, MoscowJS 18

Download to read offline

Слайды доклада Алексея "Content Security Policy"

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

"Content Security Policy" — Алексей Андросов, MoscowJS 18

  1. 1. MoscowJS
  2. 2. Яндекс
  3. 3.    
  4. 4. Content-Security-Policy: <политика> Content-Security-Policy-Report-Only: <политика> [протокол://]домен[:порт]
  5. 5.          
  6. 6. Content-Security-Policy : default-src 'none'; frame-src awaps.yandex.ru; img-src 'self' yastatic.net *.yandex.net; script-src 'unsafe-eval' 'unsafe-inline' yastatic.net; style-src 'unsafe-inline' yastatic.net; report-uri /csp-report?from=mail 01. 02. 03. 04. 05. 06. 07.
  7. 7. Content-Security-Policy: default-src 'none'; frame-src awaps.yandex.ru; img-src 'self' yastatic.net *.yandex.net; script-src 'unsafe-eval' 'unsafe-inline' yastatic.net; style-src 'unsafe-inline' yastatic.net; report-uri /csp-report?from=mail 01. 02. 03. 04. 05. 06. 07.
  8. 8. Content-Security-Policy: default-src 'none' ; frame-src awaps.yandex.ru; img-src 'self' yastatic.net *.yandex.net; script-src 'unsafe-eval' 'unsafe-inline' yastatic.net; style-src 'unsafe-inline' yastatic.net; report-uri /csp-report?from=mail 01. 02. 03. 04. 05. 06. 07.
  9. 9. Content-Security-Policy: default-src 'none'; frame-src awaps.yandex.ru; img-src 'self' yastatic.net *.yandex.net; script-src 'unsafe-eval' 'unsafe-inline' yastatic.net; style-src 'unsafe-inline' yastatic.net; report-uri /csp-report?from=mail 01. 02. 03. 04. 05. 06. 07.
  10. 10. <script src="//evil.com/give-me-your-money.js"></script> Content-Security-Policy: default-src 'none'; img-src 'self' yastatic.net *.yandex.net; script-src 'unsafe-eval' 'unsafe-inline' yastatic.net; style-src 'unsafe-inline' yastatic.net; report-uri /csp-report?from=mail 01. 02. 03. 04. 05. 06.
  11. 11. < script src="//evil.com/give-me-your-money.js"></script> Content-Security-Policy: default-src 'none'; img-src 'self' yastatic.net *.yandex.net; script-src 'unsafe-eval' 'unsafe-inline' yastatic.net; style-src 'unsafe-inline' yastatic.net; report-uri /csp-report?from=mail 01. 02. 03. 04. 05. 06.
  12. 12. <script src="// evil.com /give-me-your-money.js"></script> Content-Security-Policy: default-src 'none'; img-src 'self' yastatic.net *.yandex.net; script-src 'unsafe-eval' 'unsafe-inline' yastatic.net ; style-src 'unsafe-inline' yastatic.net; report-uri /csp-report?from=mail 01. 02. 03. 04. 05. 06.
  13. 13. <script src="// evil.com /give-me-your-money.js"></script> Content-Security-Policy: default-src 'none'; img-src 'self' yastatic.net *.yandex.net; script-src 'unsafe-eval' 'unsafe-inline' yastatic.net ; style-src 'unsafe-inline' yastatic.net; report-uri /csp-report?from=mail 01. 02. 03. 04. 05. 06.
  14. 14. img-src 'self' yastatic.net *.yandex.net
  15. 15.  connect-src  font-src  frame-src  img-src  media-src  object-src  script-srс  style-src
  16. 16.  default-src  report-uri
  17. 17.  'self'  'none'  'unsafe-inline' script-src style-src  'unsafe-eval' script-src style-src
  18. 18. <script> alert('Look at me!') </script> <a onclick="alert('Look at me!')" >link</a> 01. 02. 03. 04.
  19. 19. <style> .body {color: #000} </style> 01. 02. 03.
  20. 20. eval new Function() setTimeout('var a = 1', 10)
  21. 21. Content-Security-Policy: default-src 'none'; frame-src awaps.yandex.ru; img-src 'self' yastatic.net *.yandex.net; script-src 'unsafe-eval' 'unsafe-inline' yastatic.net; style-src 'unsafe-inline' yastatic.net; report-uri /csp-report?from=mail 01. 02. 03. 04. 05. 06. 07.
  22. 22. { "csp-report": { "document-uri": "https://mail.yandex.ru/neo2/", "referrer": "http://www.yandex.ru/", "violated-directive": "script-src ...", "original-policy": "...вся политика...", "blocked-uri": "...заблокированный ресурс..." } } 01. 02. 03. 04. 05. 06. 07. 08. 09.
  23. 23. { "csp-report": { "document-uri": "https://mail.yandex.ru/neo2/", "referrer": "http://www.yandex.ru/", "violated-directive": "script-src ...", "original-policy": "...вся политика...", "blocked-uri": "...заблокированный ресурс..." } } 01. 02. 03. 04. 05. 06. 07. 08. 09.
  24. 24. { "csp-report": { "document-uri": "https://mail.yandex.ru/neo2/", "referrer": "http://www.yandex.ru/", "violated-directive": "script-src ...", "original-policy": "...вся политика...", "blocked-uri": "...заблокированный ресурс..." } } 01. 02. 03. 04. 05. 06. 07. 08. 09.
  25. 25. { "csp-report": { "document-uri": "https://mail.yandex.ru/neo2/", "referrer": "http://www.yandex.ru/", "violated-directive": "script-src ...", "original-policy": "...вся политика...", "blocked-uri": "...заблокированный ресурс..." } } 01. 02. 03. 04. 05. 06. 07. 08. 09.
  26. 26.     form-action frame-ancestors plugin-types   nonce- hash-   <meta>  unsafe-eval style-src    
  27. 27. nonce unsafe-inline  nonce    
  28. 28. Content-Security-Policy: default-src 'self'; script-src 'unsafe-inline' 'nonce-ccc5b86a' yastatic.net <!-- Заблокирован , отсутствует атрибут nonce --> <script> alert("Мені не подобається Київ") </script> 01. 02. 03. 04. 05. 06. 07. 08.
  29. 29. Content-Security-Policy: default-src 'self'; script-src 'nonce-ccc5b86a' yastatic.net <!-- Заблокирован , атрибут nonce не совпадает --> <script nonce="42" > alert("Мені не подобається Київ") </script> 01. 02. 03. 04. 05. 06. 07. 08.
  30. 30. Content-Security-Policy: default-src 'self'; script-src 'nonce-ccc5b86a' yastatic.net <!-- Выполнен , атрибут nonce валиден --> <script nonce="ccc5b86a" > alert("Мені подобається Київ") </script> 01. 02. 03. 04. 05. 06. 07. 08.
  31. 31. Content-Security-Policy: default-src 'self'; script-src 'nonce-ccc5b86a' yastatic.net <!-- Выполнен , src валиден --> <script src=" //yastatic.net/page.js "></script> 01. 02. 03. 04. 05. 06.
  32. 32. Content-Security-Policy: default-src 'self'; script-src 'nonce-ccc5b86a' yastatic.net <!-- Выполнен , nonce валиден --> <script nonce="ccc5b86a" src=" //yandex.net/page.js "></script> 01. 02. 03. 04. 05. 06.
  33. 33.  default-src 'none'   default-src     Content-Security-Policy Content-Security-Policy-Report-Only  
  34. 34.    X-Content-Security-Policy   *   style-src 'unsafe-eval'
  35. 35. report-uri Content-Security-Policy-Report-Only
  36. 36. location / { add_header Content-Security-Policy-Report-Only "...." } 01. 02. 03.
  37. 37. response.setHeader( "Content-Security-Policy-Report-Only", "..." ); 01. 02. 03. 04.
  38. 38. Content-Security-Policy-Report-Only Content-Security-Policy
  39. 39.      

Слайды доклада Алексея "Content Security Policy"

Views

Total views

1,062

On Slideshare

0

From embeds

0

Number of embeds

17

Actions

Downloads

12

Shares

0

Comments

0

Likes

0

×