Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .jules/sentinel.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,3 +14,7 @@
**Vulnerability:** ์™ธ๋ถ€ ๋งํฌ(ํŠนํžˆ ์ฐธ์กฐ๋ฌธํ—Œ ๋งํฌ ๋“ฑ)์— `target="_blank"` ์†์„ฑ์„ ์‚ฌ์šฉํ•˜๊ฑฐ๋‚˜ ์ƒˆ ํƒญ์œผ๋กœ ์—ฌ๋Š” ๋™์ž‘์„ ์œ ๋„ํ•  ๋•Œ, `rel="noopener noreferrer"` ์†์„ฑ์ด ๋ˆ„๋ฝ๋˜์–ด Reverse Tabnabbing ๊ณต๊ฒฉ์— ๋…ธ์ถœ๋  ์ˆ˜ ์žˆ์Œ.
**Learning:** `rel="noopener noreferrer"`๊ฐ€ ์—†์œผ๋ฉด ์ƒˆ๋กœ ์—ด๋ฆฐ ํƒญ์˜ ํŽ˜์ด์ง€๊ฐ€ `window.opener` ๊ฐ์ฒด๋ฅผ ํ†ตํ•ด ์›๋ž˜ ํŽ˜์ด์ง€์˜ `location`์„ ์•…์˜์ ์ธ ์‚ฌ์ดํŠธ๋กœ ๋ณ€๊ฒฝํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.
**Prevention:** ์™ธ๋ถ€ ๋งํฌ๋ฅผ ์ƒˆ ํƒญ์œผ๋กœ ์—ด๊ธฐ ์œ„ํ•ด `target="_blank"`๋ฅผ ์‚ฌ์šฉํ•  ๋•Œ๋งŒ `rel="noopener noreferrer"`๋ฅผ ํ•จ๊ป˜ ์ถ”๊ฐ€ํ•˜์—ฌ ๋ถ€๋ชจ ์ฐฝ์— ๋Œ€ํ•œ ์ ‘๊ทผ์„ ์ฐจ๋‹จํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค.
## 2026-07-04 - Enforce Trusted Types natively
**Vulnerability:** The application was not enforcing Trusted Types in its Content Security Policy, leaving it theoretically vulnerable to DOM XSS if unsafe DOM sinks (like innerHTML) were ever introduced in the future.
**Learning:** When an application exclusively uses safe DOM APIs (like `textContent`) and lacks risky sinks, `require-trusted-types-for 'script'` can be enforced natively via CSP without needing to define a Trusted Types policy or use external sanitizers like DOMPurify. This provides a zero-dependency defense-in-depth layer against future regressions.
**Prevention:** For static sites using safe DOM manipulation, always add `require-trusted-types-for 'script'` to the CSP to proactively block any future usage of unsafe DOM sinks.
2 changes: 1 addition & 1 deletion index.html
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src 'self'; object-src 'none'; base-uri 'self'; form-action 'none'; upgrade-insecure-requests;">
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src 'self'; object-src 'none'; base-uri 'self'; form-action 'none'; upgrade-insecure-requests; require-trusted-types-for 'script';">
<meta name="referrer" content="strict-origin-when-cross-origin">
<title>๋งฅ๋ฝ์ง€ํ˜œ ์—ฐ๊ตฌ์‹ค | Contextual Wisdom Lab</title>
<meta
Expand Down
Loading