Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .jules/sentinel.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,3 +14,7 @@
**Vulnerability:** μ™ΈλΆ€ 링크(특히 μ°Έμ‘°λ¬Έν—Œ 링크 λ“±)에 `target="_blank"` 속성을 μ‚¬μš©ν•˜κ±°λ‚˜ μƒˆ νƒ­μœΌλ‘œ μ—¬λŠ” λ™μž‘μ„ μœ λ„ν•  λ•Œ, `rel="noopener noreferrer"` 속성이 λˆ„λ½λ˜μ–΄ Reverse Tabnabbing 곡격에 λ…ΈμΆœλ  수 있음.
**Learning:** `rel="noopener noreferrer"`κ°€ μ—†μœΌλ©΄ μƒˆλ‘œ μ—΄λ¦° νƒ­μ˜ νŽ˜μ΄μ§€κ°€ `window.opener` 객체λ₯Ό 톡해 μ›λž˜ νŽ˜μ΄μ§€μ˜ `location`을 μ•…μ˜μ μΈ μ‚¬μ΄νŠΈλ‘œ λ³€κ²½ν•  수 μžˆμŠ΅λ‹ˆλ‹€.
**Prevention:** μ™ΈλΆ€ 링크λ₯Ό μƒˆ νƒ­μœΌλ‘œ μ—΄κΈ° μœ„ν•΄ `target="_blank"`λ₯Ό μ‚¬μš©ν•  λ•Œλ§Œ `rel="noopener noreferrer"`λ₯Ό ν•¨κ»˜ μΆ”κ°€ν•˜μ—¬ λΆ€λͺ¨ 창에 λŒ€ν•œ 접근을 차단해야 ν•©λ‹ˆλ‹€.
## 2026-07-07 - CSP에 Trusted Types κ°•μ œ 적용
**Vulnerability:** `require-trusted-types-for 'script'` μ§€μ‹œλ¬Έμ΄ μ—†μœΌλ©΄, ν–₯ν›„ `innerHTML`κ³Ό 같은 μœ„ν—˜ν•œ DOM 싱크가 μ½”λ“œλ² μ΄μŠ€μ— λ„μž…λ  경우 DOM 기반 XSS(크둜슀 μ‚¬μ΄νŠΈ μŠ€ν¬λ¦½νŒ…) 취약점에 λ…ΈμΆœλ  수 μžˆμŠ΅λ‹ˆλ‹€.
**Learning:** `textContent`와 같은 μ•ˆμ „ν•œ DOM APIλ§Œμ„ λ…μ μ μœΌλ‘œ μ‚¬μš©ν•˜κ³  μœ„ν—˜ν•œ 싱크λ₯Ό ν¬ν•¨ν•˜μ§€ μ•ŠλŠ” μ• ν”Œλ¦¬μΌ€μ΄μ…˜μ€, μ™ΈλΆ€ μ •μ±… 객체(policy)λ‚˜ μƒˆλ‹ˆνƒ€μ΄μ €(sanitizer) 없이도 λ„€μ΄ν‹°λΈŒν•˜κ²Œ Trusted Typesλ₯Ό κ°•μ œν•  수 μžˆμŠ΅λ‹ˆλ‹€. μ΄λŠ” 미래의 DOM XSS λ„μž…μ„ μ›μ²œ μ°¨λ‹¨ν•˜λŠ” κ°•λ ₯ν•œ λ‹€μΈ΅ λ°©μ–΄(defense-in-depth) μˆ˜λ‹¨μ„ μ œκ³΅ν•©λ‹ˆλ‹€.
**Prevention:** μ• ν”Œλ¦¬μΌ€μ΄μ…˜μ΄ μ•ˆμ „ν•œ DOM APIλ§Œμ„ μ‚¬μš©ν•  λ•Œ CSP에 `require-trusted-types-for 'script'`λ₯Ό 항상 κ°•μ œν•˜μ—¬, μ‹€μˆ˜λ‘œ DOM XSS 취약점이 λ„μž…λ˜λŠ” 것을 μ˜ˆλ°©ν•΄μ•Ό ν•©λ‹ˆλ‹€.
2 changes: 1 addition & 1 deletion index.html
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src 'self'; object-src 'none'; base-uri 'self'; form-action 'none'; upgrade-insecure-requests;">
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src 'self'; object-src 'none'; base-uri 'self'; form-action 'none'; upgrade-insecure-requests; require-trusted-types-for 'script';">
<meta name="referrer" content="strict-origin-when-cross-origin">
<title>λ§₯λ½μ§€ν˜œ 연ꡬ싀 | Contextual Wisdom Lab</title>
<meta
Expand Down
Loading