7 : (XSS, CSRF) TLS : ( ) Same Origin Policy JSON JSONP CORS (Google Analytics) : Web 1 / 24
iframe err.html: iframe same origin.html: iframe err.html mashup.html: twitter google ( ) json test.rb: ruby JSON xhr2.html: XHR2 gbook.html gmap.html 2 / 24
? PC ActiveX Plugin ( ) (Web ) https Same Origin Policy (?) : Sniffing, Man-in-the-Middle (MITM), MITB, Replay : Spoofing (IP address, ARP, DNS), DNS : DDoS 3 / 24
OWASP Top 10-2013 OWASP: Open Web Application Security Project A1 A2 (broken) A3 (XSS) A4 : A5 A6 (exposure) A8 A8 (CSRF) A9 A10 OWASP:Web Web 4 / 24
典 型 的 なWebの 提 供 形 態 1ページ1サイト HTML ブラウザ ( ) http サーバー LAMP img 1ページ 複 数 サイト iframe ブラウザ サーバー L: Linux A: Apache M: MySQL P: PHP,Per サーバー フレームでサ イトを 区 分 け サーバー : facebook <iframe src="http://www.facebook.com/plugins/like.php?href= &layout=standard&show_faces=true&width=300&action=like &colorscheme=light&height=80" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:300px; height:80px;" allowtransparency="true"></iframe> (X-Frame-Options ) same origin policy 5 / 24
Same Origin Policy Same Origin Policy Same Origin Same Origin 2 : ( FQDN ) (http https ) 6 / 24
IFRAME, FRAME, FORM DOM IMG (Web ) SCRIPT CSS same origin (JSONP ) XmlHttpRequest ( ) XHR2 ( ) 7 / 24
iframe <iframe id="if1" src= html> </iframe> <iframe id="if2" src= html> </iframe> if1 if2 iframe JS : iframe err.html same origin.html sic 8 / 24
? same origin? path cookie path path URL Same origin policy document.domain X-FRAME-OPTIONS Cookie domain xhr XHR2 ( ) 9 / 24
Cookie cookie same origin policy origin JS cookie path iframe document.cookie JS origin iframe cookie secure https httponly JS : first party cookie third party cookie <img src="..."> ( ) cookie Cookie 10 / 24
JSONP JSONP 3 JSONP : <script src="http:...?jsonp=callback"> function callback(data){ } </script> (jsonp= API ) : script 11 / 24
JSONP API JSONP : yahoo mashup.html JSONP 12 / 24
: iframe ( ) 2 iframe frame location html iframe A iframe B Web server iframe A iframe iframe B web server iframe B Web server xhr iframe A iframe B iframe B location.hash location iframe A iframe B iframe A location.hash location A B hash resize resize A 13 / 24
CORS (Cross-Origin Resource Sharing) (W3C Recommendation) Same origin policy : 3 CORS : Web XMLHttpRequest level 2, Server-sent event xhr2.html 14 / 24
CORS www.3rdparty.com :.htaccess Header set Access-Control-Allow-Origin "*" ( xhr2 ) www.example.com/webapp.html http://www.3rdparty.com/data.json XHR2 UA www.3rdparty.com GET /data.json HTTP/1.1 Origin: www.example.com www.3rdparty.com UA Access-Control-Allow-Origin: * expose (expose W3C CORS ) XHR2 15 / 24
CORS preflight PUT/DELETE preflight preflight OPTION Access-Control-Request-Method OK : Access-Control-Allow-Methods OK CORS PUT/DELETE : PUT/DELETE Same Origin CORS PUT/DELETE CORS 16 / 24
CORS credential credential HTTP ( ) omit credentials flag: UA user credential cookie API flag, credential xhr.withcredentials=true; credential Access-Control-Allow-Credentials: true JS expose preflight credential 17 / 24
google analytics ( ) <script> (function(i,s,o,g,r,a,m){ i[ GoogleAnalyticsObject ]=r; i[r] = i[r] function(){(i[r].q=i[r].q []).push(arguments)}, i[r].l= a=s.createelement(o), m=s.getelementsbytagname(o)[0]; a.async=1; a.src=g; m.parentnode.insertbefore(a,m)}) (window, document, script, //www.google-analytics.com/analytics.js, ga ); ga( create, UA-XXXX-Y, auto ); ga( send, pageview ); </script> window[ GoogleAnalyticsObject ]= ga ; window[ ga ] = window[ ga ] // ga function(){ // (window[ ga ].q=window[ ga ].q []).push(arguments) }, window[ ga ].l=1*new Date(); a=s.createelement( script ), m=s.getelementsbytagname( script )[0]; a.async=1; a.src= //www.google-analytics.com/analytics.js ; m.parentnode.insertbefore(a,m) // script insert ga( create, UA-XXXX-Y, auto ); ga( send, pageview ); ga q push 18 / 24
analytics.ja Ga : Ga=function(a,b,c,d){ // a URL b c=c L; d&&(d=c,o[oa].sendbeacon?o[oa].sendbeacon(a,b)?(d(),d=!0):d=!1:d=!1); // sendbeacon W3C if(!d) // sendbeacon if(2036>=b[y]) wc(a,b,c); // 2036 wc() else if(8192>=b[y]){ // 2036 8192 if(0<=o[oa].useragent[t]("firefox")&&![].reduce) throw new Ea(b[y]); wd(a,b,c) xd(a,b,c) Fa(b,c) c() } else throw new Da(b[y]); //?? }, wc : wc=function(a,b,c){ var d=ca(a+"?"+b); } Ca : function Ca(a){ var b=m[u]("img"); b.width=1; b.height=1; b.src=a; return b } // M=document, u="createelement" // img 1x1 ( ): wd() XHR POST XHR false ( Measurement Protocol) xd() IE XDomainRequest IE false Fa() 0x0 iframe GET 19 / 24
google analytics (ga) ID ga("create", ID, {"userid": ID }); ID: "UA- ID- " ID: ga (= ) ID : ga ID: ID ID: ID first party cookie cookie "_ga" _ga analytics.js 20 / 24
? ga( send, pageview ); 2 pageview: page event: button click social: Facebook Twitter timing: ( ) analytics.js ga() 4 : http://www.google.com/intl/ja_all/analytics/index.html 21 / 24
Defensive Programming, Secure Coding Top 10 Secure Coding Practices (CERT) Validate input Heed compiler warnings (Heed = ) Architect and design for security policies (policy ) Keep it simple Default deny Adhere to the principle of least privilege ( ) Sanitize data sent to other systems Practice defense in depth ( ) Use effective quality assurance techniques ( ) Adopt a secure coding standard 22 / 24
: DNT Don t Track Me DNT: 1 http RFC 23 / 24
? GUI Canvas, WebGL? : : packaged web apps, node-webkit, Apache cordova? ( HTML ) Chrome OS, Firefox OS Node.js ( JS) 24 / 24