パフォーマンスを考慮したプリミティブなTrusted TypesによるClient-Side XSS防御手法

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

• Web
►
• Cross Site Scripting (XSS)
► Web
► Web
► 3
• Client-Side XSS
1

XSS Client-Side XSS
• Client-Side XSS ( : DOM Based XSS) [1]
2[1]. IPA, “IPA DOM Based XSS ”, https://www.ipa.go.jp/files/...

XSS
3
Client-Side XSS [2]
HTML XSS
Content Security PolicyWeb Application Firewall
[2]. Sebastian Lekies, Krzysztof Kotowi...

Client-Side XSS
• Client-Side XSS
► [3]
► [4]
► [5]
► … etc
4
JavaScript Web
[3]. Ben Stock, Sebastian Lekies, Tobias Muel...

Trusted Types
• [6]
► Trusted Types
5
$('div').innerHTML = '<img src=/ onerror="alert(10)">' // ERROR
const escapePolicy =...

Trusted Types
• 3
►
► Web
► DOM
• Trusted Types JavaScript
►
► Web Web
6

let trusted = "https://example.co.jp/";
let host = location.host;
let hash = location.hash;
document.writeln(trusted); // ...

• OSS JavaScript Web
► V8: 7.7.299.11
► Chromium: 77.0.3865.90
81 2
let trusted = "https://example.co.jp/";
let host = loc...

• JavaScript
•
►
9
Stock
[3]
Parameshwaran
[4] 1 2
Web
×
Web Web
( ) 7~17% 5% 1.2% 0.4~1.2%
0.16% - 46.2% 10.9%

•
► Trusted Types
• 2 URL ? #
10
2 1269 1.1%
))
(
047
12 4 7
36 36 58

Share Slideshare

LinkedIn
Facebook
Twitter

Embed

Size (px)

Show related Slideshows at end

WordPress Shortcode

Link

Share
Email

2024 Trend Updates: What Really Wor... by Search Engine Jou... 1052471 views
Storytelling For The Web: Integrate... by Chiara Aliotta 967761 views
Artificial Intelligence, Data and C... by OECD Directorate ... 900577 views
How to Leverage AI to Boost Employe... by SocialHRCamp 380598 views
2024 State of Marketing Report – by... by Marius Sescu 215763 views
Everything You Need To Know About C... by Expeed Software 233752 views

View on Slideshare

1 of 10 Ad

View on Slideshare

1 of 10 Ad