[B! csp] hasegawayosukeのブックマーク

クロスサイトスクリプティング脆弱性を防止するTrusted Types API

Spring BootによるAPIバックエンド構築実践ガイド第2版何千人もの開発者が、InfoQのミニブック「Practical Guide to Building an API Back End with Spring Boot」から、Spring Bootを使ったREST API構築の基礎を学んだ。この本では、出版時に新しくリリースされたバージョンである Spring Boot 2 を使用している。しかし、Spring Boot3が最近リリースされ、重要な変...

hasegawayosuke 2019/05/07

リンク

[PDF] A CDN that can not XSS you Using Subresource Integrity

A CDN that can not XSS you Using Subresource Integrity about:frederik Frederik Braun Security Engineer at Mozilla fbraun@mozilla.com https://frederik-braun.com @freddyb Why am I here? https://www.mozilla.org/en-US/about/manifesto/ Content Delivery Networks <script src="https://code.jquery.com/jquery-2.1.4.min.js"></script> <link href='http://fonts.google apis.com/css?family=PT+Sans…' rel='styleshe

hasegawayosuke 2015/05/29

sri
csp

リンク

SVG - Exploiting Browsers without Image Parsing Bugs

SVG Exploiting Browsers without Image Parsing Bugs Rennie deGraaf iSEC Partners 07 August 2014 Rennie deGraaf (iSEC Partners) SVG Security BH USA 2014 1 / 55 Outline 1 A brief introduction to SVG What is SVG? Using SVG with HTML SVG features 2 Attacking SVG Attack surface Security model Security model violations 3 Content Security Policy A brief introduction CSP Violations 4 Conclusion Rennie deGr

hasegawayosuke 2014/10/06

リンク

A primer on Content Security Policy

Content Security Policy (CSP) is as a security concept aiming to prevent XSS and other forms of browser–based attacks right where they happen — in the browser. CSP has been around for a little while but it’s only now that browser vendors are closing in on implementing most of the W3C specification. This talk will take a look at what CSP is, why it matters and how to use it with Ruby–based web appl

hasegawayosuke 2014/10/06

csp

リンク

Content-Security-Policy と nonce の話 - tokuhirom's blog

Content-Security-Policy の nonce を利用すると、XSS の脅威をかなり軽減できます。そこで、Web Application Framework ではデフォルトで対応したほうがよいのではないか、という旨を @hasegawayosuke さんから教えて頂いたので、実装について考えてみました。とりあえず CSP の nonce はどういうものなのかを考慮するために、コード例を探していたのですが、実際に動くサンプルというものが nonce 関連のもので見当たりませんでした。そこで、実際に動くサンプルを用意しました。 https://github.com/tokuhirom/csp-nonce-sample 以下は Sinatra で書かれたサンプルコードです。 require 'sinatra' require 'securerandom' get '/' d

hasegawayosuke 2014/09/26

よい。合わせて読みたい→https://twitter.com/teppeis/status/515295395543400448

csp

リンク

BSidesLA Managing Content Security Policy

Talks about how to succeed at CSP. Tips on applying policies, managing reports, and managing a project. It also talks about CSP level 2 features such as nonce and hash (and how it will save the world)

hasegawayosuke 2014/09/16

csp
security

リンク

User Interface Security Directives for Content Security Policy

UI Security and the Visibility API defines both a declarative and imperative means for resources displayed in an embedded context to protect themselves against having their content obscured, moved, or otherwise displayed in a misleading manner. This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publi

hasegawayosuke 2014/03/27

リンク

Javascript API proposal for CSP

While conversing with Mike West, I was told there's a need for JS API proposals for CSPs. Since this is an interest of mine, I thought I'd take a crack at it. He pointed me to a few reference points to get started: Use-Case Zero An Extensible Approach to Browser Security Policy To collect their suggestions, the API should be reflectable, perhaps be event-based (an "approval hook") and give clear o

hasegawayosuke 2014/03/26

csp

リンク

Hiding JSON-formatted data in the DOM with CSP enabled · Mathias Bynens

If Content Security Policy is enabled for protection against cross-site scripting attacks (i.e. the unsafe-inline option is not set), the use of inline <script>s is not allowed. In that case, how can we pass server-generated data to the front-end without negatively affecting load time and run-time performance? Introduction A common way to pass server-generated JSON-formatted data to the client so

hasegawayosuke 2013/08/27

リンク

Postcards from the post-XSS world

Postcards from the post-XSS world (2011) Michal Zalewski, <lcamtuf@coredump.cx> 1. Introduction HTML markup injection vulnerabilities are one of the most significant and pervasive threats to the security of web applications. They arise whenever, in the process of generating HTML documents, the underlying code inserts attacker-controlled variables into the output stream without properly screening t

hasegawayosuke 2013/08/27

あとで

csp
xss

リンク

Content Security Policy 1.0 を Firefox に導入

hasegawayosuke 2013/06/21

csp
firefox

リンク

CSP to the Rescue: Leveraging the Browser for Security

Programming is difficult — and difficult things generally don’t have a perfect solution. As an example, cross-site scripting (XSS) is still very much unsolved. It’s very easy to think you’re doing the right thing at the right time, but there are two opportunities to fail here: the fix might not be correct, and it might not be applied correctly. Escaping content (while still the most effective way

hasegawayosuke 2013/06/07

リンク

Preventing XSS with Content Security Policy

Ben Vinegar Software engineer at Disqus Co-author, Third-party JavaScript (Manning) Once ate 7 McDonald's cheeseburgers in one sitting Implemented Content Security Policy in Disqus Cross-Site Scripting (XSS) This is still a probl em Cross-site scripting (XSS) Vulnerability where attacker injects JavaScript code into a web document <?php $name = $_GET['name']; echo "Welcome $name"; ?> GET http://urs

hasegawayosuke 2013/05/08

csp
xss

リンク

Intent to Ship: Long Task API - Google Groups

hasegawayosuke 2013/05/01

あとで

リンク

Content Security Policy

EngineeringContent Security PolicyWe've started rolling out a new security feature called "Content Security Policy" or CSP. As a user, it will better protect your account against XSS attacks. But, be aware, it… We’ve started rolling out a new security feature called “Content Security Policy” or CSP. As a user, it will better protect your account against XSS attacks. But, be aware, it may cause iss

hasegawayosuke 2013/04/22

csp
github

リンク

CSP Readiness

CSP Readiness This is a test page to show how ready your browser is in it's Content Security Policy support. Currently tests img, object, script, style and iframe + inline and eval Version 1.1 - Based on latest spec at w3c. Is using Content-Security-Policy Version 1.1 with prefixed headers - Based on latest spec at w3c. 1.0 with proper header name - Based on the 1.0 spec at w3c. Is using Content-S

hasegawayosuke 2012/09/10

csp

リンク

コンテントセキュリティポリシー入門 - ずっと君のターン

Chromeの拡張機能はmanifest v2からCSP対応とかでいろいろと制限が厳しくなったわけですが、そもそもそのCSPがよく分からなかったので、HTML5Rocksの入門記事を訳してみました。ところどころよく分からなくて適当に訳してたりするので、おやっ？と思ったら原文参照のこと。 http://www.html5rocks.com/en/tutorials/security/content-security-policy/ コンテントセキュリティポリシー入門注: この記事はまだ完全に標準化を終えておらず不安定なAPIについて述べています。自身のプロジェクトで実験的なAPIを使う場合には注意が必要です。ウェブのセキュリティモデルは同一生成元ポリシーにその根拠を持ちます。 https://mybank.com のコードは https://mybank.com のデータにだけアクセス

hasegawayosuke 2012/08/21

リンク

http://blog.monoweb.info/article/2012031523.html

hasegawayosuke 2012/03/16

DOM based XSSは防げないこともあるし、サードパーティのアクセス解析など動かなくなるものもあるし、ポリシーのメンテ(運用)はかなり大変なんで、気軽にオススメできるものではないですね。あとCSPの文書はhttp://bit.ly/pdNAMz

xss
csp

リンク

More secure extensions, by default

$200K 1 10th birthday 4 abusive ads 1 abusive notifications 2 accessibility 3 ad blockers 1 ad blocking 2 advanced capabilities 1 android 2 anti abuse 1 anti-deception 1 background periodic sync 1 badging 1 benchmarks 1 beta 83 better ads standards 1 billing 1 birthday 4 blink 2 browser 2 browser interoperability 1 bundles 1 capabilities 6 capable web 1 cds 1 cds18 2 cds2018 1 chrome 35 chrome 81