Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .jules/sentinel.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,3 +14,8 @@
**Vulnerability:** μ™ΈλΆ€ 링크(특히 μ°Έμ‘°λ¬Έν—Œ 링크 λ“±)에 `target="_blank"` 속성을 μ‚¬μš©ν•˜κ±°λ‚˜ μƒˆ νƒ­μœΌλ‘œ μ—¬λŠ” λ™μž‘μ„ μœ λ„ν•  λ•Œ, `rel="noopener noreferrer"` 속성이 λˆ„λ½λ˜μ–΄ Reverse Tabnabbing 곡격에 λ…ΈμΆœλ  수 있음.
**Learning:** `rel="noopener noreferrer"`κ°€ μ—†μœΌλ©΄ μƒˆλ‘œ μ—΄λ¦° νƒ­μ˜ νŽ˜μ΄μ§€κ°€ `window.opener` 객체λ₯Ό 톡해 μ›λž˜ νŽ˜μ΄μ§€μ˜ `location`을 μ•…μ˜μ μΈ μ‚¬μ΄νŠΈλ‘œ λ³€κ²½ν•  수 μžˆμŠ΅λ‹ˆλ‹€.
**Prevention:** μ™ΈλΆ€ 링크λ₯Ό μƒˆ νƒ­μœΌλ‘œ μ—΄κΈ° μœ„ν•΄ `target="_blank"`λ₯Ό μ‚¬μš©ν•  λ•Œλ§Œ `rel="noopener noreferrer"`λ₯Ό ν•¨κ»˜ μΆ”κ°€ν•˜μ—¬ λΆ€λͺ¨ 창에 λŒ€ν•œ 접근을 차단해야 ν•©λ‹ˆλ‹€.

## 2026-07-02 - [Zero-Dependency Trusted Types Enforcement]
**Vulnerability:** [Missing protection against potential future DOM-based XSS if risky sinks are introduced]
**Learning:** [Because the application uses safe DOM properties like `textContent` instead of `innerHTML`, we can natively enforce Trusted Types via CSP without needing a default policy or an external sanitizer like DOMPurify.]
**Prevention:** [Enforce `require-trusted-types-for 'script'` in CSP for applications that exclusively use safe DOM APIs to proactively block future insecure sink usage.]
Comment on lines +18 to +21
7 changes: 7 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,10 @@
## [Unreleased]
- **μ„±λŠ₯ κ°œμ„ **: `i18n.js`μ—μ„œ 초기 λ‘œλ“œ μ‹œ κΈ°λ³Έ μ–Έμ–΄κ°€ ν•œκ΅­μ–΄(ko)인 경우 λΆˆν•„μš”ν•œ DOM 순회 및 ν…μŠ€νŠΈ μ—…λ°μ΄νŠΈλ₯Ό μƒλž΅ν•˜λ„λ‘ κ°œμ„ ν–ˆμŠ΅λ‹ˆλ‹€.
- **ν…ŒμŠ€νŠΈ μΆ”κ°€**: λ‹€κ΅­μ–΄ 처리 둜직의 무결성을 κ²€μ¦ν•˜κΈ° μœ„ν•΄ `test_i18n.html` ν…ŒμŠ€νŠΈ νŒŒμΌμ„ μΆ”κ°€ν–ˆμŠ΅λ‹ˆλ‹€.

### Security
* `index.html`에 Trusted Types CSP 적용 (`require-trusted-types-for 'script'`)

* λ³΄μ•ˆμ„± ν–₯상을 μœ„ν•΄ CSP μ„€μ • 적용 (Trusted Types)

* CI μ›Œν¬ν”Œλ‘œμš° νƒ€μž„μ•„μ›ƒ 였λ₯˜λ₯Ό μš°νšŒν•˜κ³  리뷰 ν”„λ‘œμ„ΈμŠ€λ₯Ό λ‹€μ‹œ νŠΈλ¦¬κ±°ν•˜κΈ° μœ„ν•΄ 변경사항 μΆ”κ°€
2 changes: 1 addition & 1 deletion index.html
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src 'self'; object-src 'none'; base-uri 'self'; form-action 'none'; upgrade-insecure-requests;">
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src 'self'; object-src 'none'; base-uri 'self'; form-action 'none'; upgrade-insecure-requests; require-trusted-types-for 'script';">
<meta name="referrer" content="strict-origin-when-cross-origin">
<title>λ§₯λ½μ§€ν˜œ 연ꡬ싀 | Contextual Wisdom Lab</title>
<meta
Expand Down
Loading