|
Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. It is a Candidate Recommendation of the W3C working group on Web Application Security,〔(【引用サイトリンク】title=State of the draft )〕 widely supported by the modern web browsers.〔 CSP provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website — covered types are JavaScript, CSS, HTML frames, web workers, fonts, images, embeddable objects such as Java applets, ActiveX, audio and video files, and other HTML5 features. ==Status== The standard, originally named Content Restrictions, was proposed by Robert Hansen in 2004, first implemented in Firefox 4 and quickly picked up by other browsers. Version 1 of the standard was published in 2012 as W3C candidate recommendation〔(【引用サイトリンク】 title=Content Security Policy 1.0 )〕 and quickly with further versions (Level 2) published in 2014. draft of Level 3 is being developed with the new features being quickly adopted by the web browsers.〔(【引用サイトリンク】 title=Content Security Policy Level 3 )〕 The following header names are in use as part of an experimental CSP implementations:〔(【引用サイトリンク】 title=Can I use Content Security Policy? )〕 * Content-Security-Policy — standard header name proposed by the W3C document. Google Chrome supports this as of version 25. Firefox supports this as of version 23, released on 6 August 2013. WebKit supports this as of version 528 (nightly build).* X-WebKit-CSP — deprecated, experimental header introduced into Google Chrome and other WebKit-based browsers (Safari) in 2011.* X-Content-Security-Policy — deprecated, experimental header introduced in Gecko 2 based browsers (Firefox 4 to Firefox 22, Thunderbird 3.3, SeaMonkey 2.1).〔(【引用サイトリンク】 title=Introducing Content Security Policy )〕A website can declare multiple CSP headers, also mixing enforcement and report-only ones. Each header will be processed separately by the browser. CSP can be also delivered within the HTML code using a HTML META tag, although in this case its effectiveness will be limited. Support for the sandbox directive is also available in Internet Explorer 10 and Internet Explorer 11 using the experimental X-Content-Security-Policy header.〔(【引用サイトリンク】 title=Defense in Depth: Locking Down Mash-Ups with HTML5 Sandbox )〕A number of web application frameworks support CSP, for example AngularJS〔(【引用サイトリンク】title=ngCsp directive )〕 (natively) and Django (middleware). Instructions for Ruby on Rails have been posted by GitHub.〔(【引用サイトリンク】title=Content security policy )〕 Web framework support is however only required if the CSP contents somehow depend on the web application's state — such as usage of the nonce origin. Otherwise, the CSP is rather static and can be delivered from web application tiers above the application, for example on load balancer or web server.a number of new browser security standards are being proposed by W3C, most of them complementary to CSP:〔(【引用サイトリンク】 title=Web Application Security Working Group )〕 * Sub-Resource Integrity (SRI), to ensure only a known, trusted resource files (typically JavaScript, CSS) are loaded from third-party servers (typically CDNs) * Mixed Content, to clarify the intended browser's policy on pages loaded over HTTPS and linking content over plaintext HTTP * Upgrade Insecure Requests, hinting browsers on how to handle legacy links on pages migrated to HTTPS * Credential Management, an unified JavaScript API to access user's credentials to facilitate complex login schemes, * Referrer Policy, CSP extension to hint the browser on generation of the Referer headers.〔 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「Content Security Policy」の詳細全文を読む スポンサード リンク
|