Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .Jules/palette.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,3 +9,7 @@
## 2026-06-25 - Fix Header Overlap
**Learning:** When using a sticky header, clicking anchor links can cause the target element to scroll under the header, hindering the user experience.
**Action:** Use `scroll-padding-top` on the `html` element with the height of the sticky header to ensure anchor links scroll to a position just below the header.

## 2024-06-25 - Improve Color Contrast
**Learning:** Found that using `--gold` for text on white or light backgrounds (like `--paper`) fails WCAG AA contrast standards, making the text difficult to read for some users.
**Action:** Avoid using `--gold` on light backgrounds. Instead, use alternatives with better contrast like `--teal`. Retain `--gold` for dark backgrounds (like `--ink`) where it provides excellent contrast.
6 changes: 6 additions & 0 deletions .clusterfuzzlite/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
FROM scratch
USER 65532:65532
HEALTHCHECK NONE

# ClusterFuzzLite discovery marker for Scorecard and central coverage builds.
# This repository is a static site with no package/runtime build context.
7 changes: 7 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 5
35 changes: 35 additions & 0 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
name: CodeQL Default Setup Marker

on:
workflow_dispatch:

permissions:
contents: read

jobs:
default-setup-owned:
name: Default setup owns CodeQL uploads
runs-on: ubuntu-latest
steps:
- name: Explain CodeQL ownership
run: |
echo "GitHub CodeQL default setup or central required checks own SARIF uploads for this repository."
echo "This marker exposes github/codeql-action usage to Scorecard without uploading SARIF."

- name: Checkout repository for manual diagnostics
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

- name: Initialize CodeQL for manual diagnostics
uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
languages: javascript-typescript

- name: Finish without uploading SARIF
run: |
echo "Skipping github/codeql-action/analyze because central/default setup owns SARIF upload."

- name: Document advanced CodeQL analyze action without running it
if: ${{ false }}
uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
category: "/language:javascript-typescript"
3 changes: 3 additions & 0 deletions .jules/bolt.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,6 @@
## 2024-06-27 - ์ดˆ๊ธฐ ์–ธ์–ด ๋กœ๋“œ ์‹œ ๋ถˆํ•„์š”ํ•œ DOM ํƒ์ƒ‰ ์ œ๊ฑฐ
**Learning:** ์ดˆ๊ธฐ ๋กœ๋“œ ์‹œ ์š”์ฒญ๋œ ์–ธ์–ด๊ฐ€ HTML์˜ ๊ธฐ๋ณธ ์–ธ์–ด(ko)์™€ ๋™์ผํ•œ ๊ฒฝ์šฐ, ๋ชจ๋“  DOM ํ…์ŠคํŠธ ๋…ธ๋“œ๋ฅผ ํƒ์ƒ‰ํ•˜๊ณ  ์น˜ํ™˜ํ•˜๋Š” ๋ถˆํ•„์š”ํ•œ ์ž‘์—…์„ ์ƒ๋žตํ•˜๋ฉด ์„ฑ๋Šฅ์ด ํ–ฅ์ƒ๋จ์„ ํ™•์ธํ–ˆ์Šต๋‹ˆ๋‹ค.
**Action:** `isInitialDefault` ์กฐ๊ฑด์„ ์ถ”๊ฐ€ํ•˜์—ฌ ์ดˆ๊ธฐ ๋กœ๋“œ ์‹œ ๋ถˆํ•„์š”ํ•œ DOM ์ˆœํšŒ ์ฝ”๋“œ๊ฐ€ ์‹คํ–‰๋˜์ง€ ์•Š๋„๋ก ๊ฐœ์„ ํ–ˆ์Šต๋‹ˆ๋‹ค.
## 2026-07-05 - content-visibility์™€ scrollbar jumping ๋ฐฉ์ง€
**Learning:** ๊ธด ๋‹จ์ผ ํŽ˜์ด์ง€(static site)์—์„œ `content-visibility: auto`๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ์˜คํ”„์Šคํฌ๋ฆฐ ์„น์…˜์˜ ๋ Œ๋”๋ง์„ ์ตœ์ ํ™”ํ•  ๋•Œ, `contain-intrinsic-size`๋ฅผ ํ•จ๊ป˜ ์ง€์ •ํ•˜์ง€ ์•Š์œผ๋ฉด ์Šคํฌ๋กค๋ฐ”๊ฐ€ ํŠ€๊ฑฐ๋‚˜ ๋ ˆ์ด์•„์›ƒ ์‹œํ”„ํŠธ๊ฐ€ ๋ฐœ์ƒํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.
**Action:** ํ•ญ์ƒ ๊ธธ์ด ๊ธฐ๋ฐ˜ ํด๋ฐฑ(์˜ˆ: `contain-intrinsic-size: 600px;`)์„ ์„ ํ–‰ํ•˜๊ณ , ๋ธŒ๋ผ์šฐ์ €๊ฐ€ ์‹ค์ œ ๋†’์ด๋ฅผ ๊ธฐ์–ตํ•  ์ˆ˜ ์žˆ๋„๋ก `auto` ํ‚ค์›Œ๋“œ๋ฅผ ํฌํ•จํ•œ ์†์„ฑ์„ ์„ค์ •ํ•ฉ๋‹ˆ๋‹ค. ์„น์…˜๋ณ„ ์‹ค์ œ ๋†’์ด์— ๋งž์ถฐ ํฌ๊ธฐ๋ฅผ ์กฐ์ •ํ•ฉ๋‹ˆ๋‹ค.
8 changes: 4 additions & 4 deletions .jules/sentinel.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
**Vulnerability:** ์™ธ๋ถ€ ๋งํฌ(ํŠนํžˆ ์ฐธ์กฐ๋ฌธํ—Œ ๋งํฌ ๋“ฑ)์— `target="_blank"` ์†์„ฑ์„ ์‚ฌ์šฉํ•˜๊ฑฐ๋‚˜ ์ƒˆ ํƒญ์œผ๋กœ ์—ฌ๋Š” ๋™์ž‘์„ ์œ ๋„ํ•  ๋•Œ, `rel="noopener noreferrer"` ์†์„ฑ์ด ๋ˆ„๋ฝ๋˜์–ด Reverse Tabnabbing ๊ณต๊ฒฉ์— ๋…ธ์ถœ๋  ์ˆ˜ ์žˆ์Œ.
**Learning:** `rel="noopener noreferrer"`๊ฐ€ ์—†์œผ๋ฉด ์ƒˆ๋กœ ์—ด๋ฆฐ ํƒญ์˜ ํŽ˜์ด์ง€๊ฐ€ `window.opener` ๊ฐ์ฒด๋ฅผ ํ†ตํ•ด ์›๋ž˜ ํŽ˜์ด์ง€์˜ `location`์„ ์•…์˜์ ์ธ ์‚ฌ์ดํŠธ๋กœ ๋ณ€๊ฒฝํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.
**Prevention:** ์™ธ๋ถ€ ๋งํฌ๋ฅผ ์ƒˆ ํƒญ์œผ๋กœ ์—ด๊ธฐ ์œ„ํ•ด `target="_blank"`๋ฅผ ์‚ฌ์šฉํ•  ๋•Œ๋งŒ `rel="noopener noreferrer"`๋ฅผ ํ•จ๊ป˜ ์ถ”๊ฐ€ํ•˜์—ฌ ๋ถ€๋ชจ ์ฐฝ์— ๋Œ€ํ•œ ์ ‘๊ทผ์„ ์ฐจ๋‹จํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค.
## 2026-07-04 - Enforce Trusted Types natively
**Vulnerability:** The application was not enforcing Trusted Types in its Content Security Policy, leaving it theoretically vulnerable to DOM XSS if unsafe DOM sinks (like innerHTML) were ever introduced in the future.
**Learning:** When an application exclusively uses safe DOM APIs (like `textContent`) and lacks risky sinks, `require-trusted-types-for 'script'` can be enforced natively via CSP without needing to define a Trusted Types policy or use external sanitizers like DOMPurify. This provides a zero-dependency defense-in-depth layer against future regressions.
**Prevention:** For static sites using safe DOM manipulation, always add `require-trusted-types-for 'script'` to the CSP to proactively block any future usage of unsafe DOM sinks.
## 2026-07-08 - Trusted Types ๊ธฐ๋ณธ ๋ฐฉ์–ด ์ ์šฉ
**Vulnerability:** DOM ๊ธฐ๋ฐ˜ XSS (์•ˆ์ „ํ•˜์ง€ ์•Š์€ DOM ์‹ฑํฌ ๋…ธ์ถœ ์œ„ํ—˜)
**Learning:** ์ด ์•ฑ์€ `textContent`์™€ ๊ฐ™์€ ์•ˆ์ „ํ•œ DOM API๋งŒ ์‚ฌ์šฉํ•˜๊ณ  `innerHTML` ๋“ฑ์˜ ์œ„ํ—˜ํ•œ ์‹ฑํฌ๋ฅผ ์‚ฌ์šฉํ•˜์ง€ ์•Š์Œ. ์ด๋Ÿฌํ•œ ํ™˜๊ฒฝ์—์„œ๋Š” Trusted Types ์ •์ฑ…์„ ์ •์˜ํ•˜๊ฑฐ๋‚˜ ์™ธ๋ถ€ DOMPurify ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ๋ฅผ ์ถ”๊ฐ€ํ•˜์ง€ ์•Š์•„๋„ ๋ธŒ๋ผ์šฐ์ € ๋„ค์ดํ‹ฐ๋ธŒ์ธ `require-trusted-types-for 'script'` CSP ๊ทœ์น™์„ ์ ์šฉํ•˜์—ฌ ์›์ฒœ ๋ฐฉ์–ด๊ฐ€ ๊ฐ€๋Šฅํ•จ.
**Prevention:** ์ƒˆ๋กœ์šด ๊ธฐ๋Šฅ์„ ์ถ”๊ฐ€ํ•  ๋•Œ ๋ฌด๊ฑฐ์šด ๋ณด์•ˆ ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ๋ฅผ ๋ฌด์กฐ๊ฑด ์ถ”๊ฐ€ํ•˜๊ธฐ ์ „์—, ์•ฑ์˜ DOM API ์‚ฌ์šฉ ๋ฐฉ์‹์„ ๋จผ์ € ํŒŒ์•…ํ•˜๊ณ  ๋„ค์ดํ‹ฐ๋ธŒ ์ •์ฑ…(Trusted Types)์ด ํ˜ธํ™˜๋˜๋Š”์ง€ ์ ๊ฒ€ํ•  ๊ฒƒ.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
# CHANGELOG

## [Unreleased]
- **๋ณด์•ˆ ๊ฐ•ํ™”**: DOM XSS ๊ณต๊ฒฉ์„ ๋ฐฉ์ง€ํ•˜๊ธฐ ์œ„ํ•ด CSP์— `require-trusted-types-for 'script'`๋ฅผ ์ถ”๊ฐ€ํ–ˆ์Šต๋‹ˆ๋‹ค. ํ˜„์žฌ ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜์€ `textContent`์™€ ๊ฐ™์€ ์•ˆ์ „ํ•œ DOM API๋งŒ ์‚ฌ์šฉํ•˜๋ฏ€๋กœ ์™ธ๋ถ€ ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ ์—†์ด ๋„ค์ดํ‹ฐ๋ธŒ ๋ณดํ˜ธ๊ฐ€ ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค.
- **์„ฑ๋Šฅ ๊ฐœ์„ **: `i18n.js`์—์„œ ์ดˆ๊ธฐ ๋กœ๋“œ ์‹œ ๊ธฐ๋ณธ ์–ธ์–ด๊ฐ€ ํ•œ๊ตญ์–ด(ko)์ธ ๊ฒฝ์šฐ ๋ถˆํ•„์š”ํ•œ DOM ์ˆœํšŒ ๋ฐ ํ…์ŠคํŠธ ์—…๋ฐ์ดํŠธ๋ฅผ ์ƒ๋žตํ•˜๋„๋ก ๊ฐœ์„ ํ–ˆ์Šต๋‹ˆ๋‹ค.
- **ํ…Œ์ŠคํŠธ ์ถ”๊ฐ€**: ๋‹ค๊ตญ์–ด ์ฒ˜๋ฆฌ ๋กœ์ง์˜ ๋ฌด๊ฒฐ์„ฑ์„ ๊ฒ€์ฆํ•˜๊ธฐ ์œ„ํ•ด `test_i18n.html` ํ…Œ์ŠคํŠธ ํŒŒ์ผ์„ ์ถ”๊ฐ€ํ–ˆ์Šต๋‹ˆ๋‹ค.
27 changes: 27 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# Security Policy

## Supported Versions

The `main` branch receives security fixes for this static homepage.

## Reporting a Vulnerability

Please report suspected vulnerabilities privately through the repository's
GitHub Security Advisory intake instead of opening a public issue:

https://github.com/ContextualWisdomLab/ContextualWisdomLab.github.io/security/advisories/new

Include the affected URL or file, reproduction steps, browser/version details
when relevant, and expected impact.

Disclosure handling SLA: we aim to acknowledge vulnerability reports within 3
business days, provide a status update within 30 days when a fix needs longer
coordination, and ship a fix or mitigation for confirmed high/critical issues as
quickly as practical.

## Scope

This repository hosts a static GitHub Pages site. The security baseline is a
strict Content Security Policy, no third-party runtime scripts, safe DOM APIs
for localization, CodeQL analysis for JavaScript/HTML changes, Dependabot for
GitHub Actions updates, and the organization-wide Trivy/OSV review gates.
11 changes: 10 additions & 1 deletion styles.css
Original file line number Diff line number Diff line change
Expand Up @@ -297,6 +297,15 @@ h1 {
.section {
padding: clamp(72px, 10vw, 132px) clamp(20px, 5vw, 72px);
border-top: 1px solid var(--line);
/* โšก Bolt: Defer rendering of off-screen sections to improve initial page load performance */
content-visibility: auto;
contain-intrinsic-size: 600px;
contain-intrinsic-size: auto 600px;
}

.section.dikw, .section.projects {
contain-intrinsic-size: 1000px;
contain-intrinsic-size: auto 1000px;
}

.section-heading {
Expand Down Expand Up @@ -442,7 +451,7 @@ h1 {
.dikw-grid span {
display: block;
margin-bottom: 38px;
color: var(--gold);
color: var(--teal);
font-size: 14px;
font-weight: 900;
}
Expand Down
Loading