{"id":10043,"date":"2025-11-11T02:47:00","date_gmt":"2025-11-10T17:47:00","guid":{"rendered":"https:\/\/www.ois-yokohama.co.jp\/oisblog2018\/?p=10043"},"modified":"2025-11-16T07:25:25","modified_gmt":"2025-11-15T22:25:25","slug":"spring-security%e3%81%a7csp%ef%bc%88content-security-policy%ef%bc%89%e5%af%be%e7%ad%96%e3%81%97%e3%81%a6%e3%81%bf%e3%81%9f%e8%a9%b1","status":"publish","type":"post","link":"https:\/\/www.ois-yokohama.co.jp\/oisblog2018\/archives\/10043","title":{"rendered":"Spring Security\u3067CSP\uff08Content-Security-Policy\uff09\u5bfe\u7b56\u3057\u3066\u307f\u305f\u8a71"},"content":{"rendered":"
\"\"<\/div>\n

\u3053\u3093\u306b\u3061\u306f\u3001\u732b\u597d\u304d\u30ea\u30fc\u30de\u30f3\u306e\u307b\u3052PG\u3067\u3059\u3002<\/p>\n\n\n\n

\u3042\u308b\u65e5\u3001\u3044\u3064\u3082\u306e\u3088\u3046\u306bOWASP ZAP\u3067\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30c1\u30a7\u30c3\u30af\u3092\u3057\u3066\u3044\u305f\u3089\u3001\u3053\u3093\u306a\u8b66\u544a\u304c\u51fa\u307e\u3057\u305f\u3002<\/p>\n\n\n\n

\u300cContent-Security-Policy\u30d8\u30c3\u30c0\u30fc\u304c\u8a2d\u5b9a\u3055\u308c\u3066\u3044\u307e\u305b\u3093\uff01\u300d<\/p>\n\n\n\n

\u2026\u2026\u3068\u3044\u3046\u308f\u3051\u3067\u3001\u4eca\u56de\u306f CSP<\/strong>\uff08Content-Security-Policy<\/strong>\uff09\u5bfe\u7b56<\/strong> \u3092Spring Security\u3067\u3069\u3046\u5b9f\u88c5\u3059\u308b\u304b\u3001\u5b9f\u969b\u306b\u3084\u3063\u3066\u307f\u305f\u5185\u5bb9\u3092\u307e\u3068\u3081\u3066\u307f\u307e\u3059\u3002<\/p>\n\n\n\n

\u305d\u3082\u305d\u3082CSP<\/strong>\u3063\u3066\uff1f<\/strong><\/p>\n\n\n\n

CSP\u306f\u3001\u30d6\u30e9\u30a6\u30b6\u304c\u8aad\u307f\u8fbc\u3080\u30ea\u30bd\u30fc\u30b9\u306e\u7a2e\u985e\u3084\u51fa\u6240\u3092\u5236\u9650\u3059\u308b\u3053\u3068\u3067\u3001XSS\uff08\u30af\u30ed\u30b9\u30b5\u30a4\u30c8\u30b9\u30af\u30ea\u30d7\u30c6\u30a3\u30f3\u30b0\uff09\u306a\u3069\u306e\u653b\u6483\u3092\u9632\u3050\u305f\u3081\u306e\u4ed5\u7d44\u307f\u3067\u3059\u3002<\/p>\n\n\n\n

\u4e2d\u3067\u3082\u7279\u306b\u53b3\u3057\u3044\u306e\u304c script-src \u3068 style-src \u306e\u5236\u9650\u3002\u3053\u308c\u3089\u3092\u9069\u5207\u306b\u8a2d\u5b9a\u3057\u306a\u3044\u3068\u3001ZAP\u5148\u751f\u306b\u6012\u3089\u308c\u307e\u3059\u3002<\/p>\n\n\n\n

\u6012\u3089\u308c\u305f\u30b3\u30fc\u30c9\u305f\u3061<\/strong><\/p>\n\n\n\n

\u4ee5\u4e0b\u306e\u3088\u3046\u306a\u30b3\u30fc\u30c9\u304cCSP\u7684\u306b\u306fNG\u3068\u3055\u308c\u307e\u3059\u3002<\/p>\n\n\n\n

\u6012\u3089\u308c\u308b\u30b3\u30fc\u30c9\u2460<\/strong>\uff1aonclick <\/strong>\u306b\u76f4\u63a5JavaScript<\/strong>\u3092\u66f8\u304f<\/strong><\/p>\n\n\n\n

<form name=\"logoutForm\" action=\"\/logout\" method=\"POST\">\n\u00a0\u00a0\u00a0 <a onclick=\"logoutForm.submit();\">Logout<\/a>\n<\/form>\u00a0<\/code><\/pre>\n\n\n\n
\u6012\u3089\u308c\u308b\u30b3\u30fc\u30c9\u2461<\/strong>\uff1a<script> <\/strong>\u30bf\u30b0\u5185\u306b\u76f4\u63a5JavaScript<\/strong>\u3092\u66f8\u304f<\/strong><\/p>\n\n\n\n
<script>\n$(window).on(\"load\", function<\/strong>() {\n\u00a0\u00a0\u00a0\u00a0\u00a0 \u2026\n});\n<\/script>\u00a0\u00a0<\/code><\/pre>\n\n\n\n
\u6012\u3089\u308c\u308b\u30b3\u30fc\u30c9\u2462<\/strong>\uff1astyle <\/strong>\u5c5e\u6027\u306b\u76f4\u63a5CSS<\/strong>\u3092\u66f8\u304f<\/strong><\/p>\n\n\n\n
<div style=\"background: green;\">\n<h3>\u30c8\u30c3\u30d7<\/h3>\n<\/div>\u00a0<\/code><\/pre>\n\n\n\n
\u6012\u3089\u308c\u308b\u30b3\u30fc\u30c9\u2463<\/strong>\uff1a<style> <\/strong>\u30bf\u30b0\u5185\u306b\u76f4\u63a5CSS<\/strong>\u3092\u66f8\u304f<\/strong><\/p>\n\n\n\n
<style>\n\u00a0\u00a0\u00a0 .cusor-pointer {\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cursor : pointer;\n\u00a0\u00a0\u00a0 }\n<\/style>\u00a0\u00a0<\/code><\/pre>\n\n\n\n
\u3064\u307e\u308a\u3001\u30a4\u30f3\u30e9\u30a4\u30f3\u306e<\/strong>JavaScript<\/strong>\u3084CSS<\/strong>\u306f\u5168\u90e8\u30a2\u30a6\u30c8<\/strong>\u3068\u3044\u3046\u3053\u3068\u3067\u3059\u306d\u3002<\/p>\n\n\n\n
\u5bfe\u7b56\u65b9\u6cd5\uff1a\u30a4\u30f3\u30e9\u30a4\u30f3\u30b3\u30fc\u30c9\u3092\u5916\u306b\u51fa\u3059<\/strong><\/p>\n\n\n\n
\u57fa\u672c\u7684\u306a\u5bfe\u7b56\u306f\u30b7\u30f3\u30d7\u30eb\u3067\u3001<\/p>\n\n\n\n