Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .jules/sentinel.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,3 +14,7 @@
**Vulnerability:** ์™ธ๋ถ€ ๋งํฌ(ํŠนํžˆ ์ฐธ์กฐ๋ฌธํ—Œ ๋งํฌ ๋“ฑ)์— `target="_blank"` ์†์„ฑ์„ ์‚ฌ์šฉํ•˜๊ฑฐ๋‚˜ ์ƒˆ ํƒญ์œผ๋กœ ์—ฌ๋Š” ๋™์ž‘์„ ์œ ๋„ํ•  ๋•Œ, `rel="noopener noreferrer"` ์†์„ฑ์ด ๋ˆ„๋ฝ๋˜์–ด Reverse Tabnabbing ๊ณต๊ฒฉ์— ๋…ธ์ถœ๋  ์ˆ˜ ์žˆ์Œ.
**Learning:** `rel="noopener noreferrer"`๊ฐ€ ์—†์œผ๋ฉด ์ƒˆ๋กœ ์—ด๋ฆฐ ํƒญ์˜ ํŽ˜์ด์ง€๊ฐ€ `window.opener` ๊ฐ์ฒด๋ฅผ ํ†ตํ•ด ์›๋ž˜ ํŽ˜์ด์ง€์˜ `location`์„ ์•…์˜์ ์ธ ์‚ฌ์ดํŠธ๋กœ ๋ณ€๊ฒฝํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.
**Prevention:** ์™ธ๋ถ€ ๋งํฌ๋ฅผ ์ƒˆ ํƒญ์œผ๋กœ ์—ด๊ธฐ ์œ„ํ•ด `target="_blank"`๋ฅผ ์‚ฌ์šฉํ•  ๋•Œ๋งŒ `rel="noopener noreferrer"`๋ฅผ ํ•จ๊ป˜ ์ถ”๊ฐ€ํ•˜์—ฌ ๋ถ€๋ชจ ์ฐฝ์— ๋Œ€ํ•œ ์ ‘๊ทผ์„ ์ฐจ๋‹จํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค.
## 2026-07-01 - Add Trusted Types Policy via DOMPurify
**Vulnerability:** Application lacked Trusted Types enforcement, which left it potentially vulnerable to DOM-based XSS if DOM sinks (like `innerHTML`) were manipulated.
**Learning:** Enforcing `require-trusted-types-for 'script'` in CSP will crash Chromium-based browsers if they assign strings to DOM sinks without a registered policy.
**Prevention:** Always pair the CSP `require-trusted-types-for 'script'` directive with a default Trusted Types policy that securely sanitizes input using an established library like DOMPurify.
Loading