π‘οΈ Sentinel: [security improvement] CSP Trusted Types μ μ± λ° DOMPurify μλ μΆκ°#42
Conversation
|
π Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a π emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
There was a problem hiding this comment.
Pull request overview
This PR hardens the static site against DOM-based XSS by enforcing Trusted Types via CSP and registering a default Trusted Types policy backed by DOMPurify, with supporting documentation updates.
Changes:
- Add
require-trusted-types-for 'script'to the CSP meta tag inindex.html. - Introduce
security.jsto register a default Trusted Types policy that sanitizes HTML via DOMPurify. - Vendor DOMPurify (
assets/dompurify.min.js) and document the Sentinel security learning in.jules/sentinel.md.
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| index.html | Enforces Trusted Types in CSP and loads DOMPurify + the default policy script. |
| security.js | Registers a default Trusted Types policy that sanitizes HTML with DOMPurify. |
| assets/dompurify.min.js | Adds vendored DOMPurify runtime used by the Trusted Types policy. |
| .jules/sentinel.md | Documents the Trusted Types hardening rationale and prevention guidance. |
π‘ Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if (window.trustedTypes && trustedTypes.createPolicy) { | ||
| trustedTypes.createPolicy('default', { | ||
| createHTML: (string) => DOMPurify.sanitize(string, {RETURN_TRUSTED_TYPE: true}) | ||
| }); | ||
| } |
| <script src="assets/dompurify.min.js"></script> | ||
| <script src="security.js"></script> | ||
| <script src="i18n.js" defer></script> |
| **Prevention:** μΈλΆ λ§ν¬λ₯Ό μ νμΌλ‘ μ΄κΈ° μν΄ `target="_blank"`λ₯Ό μ¬μ©ν λλ§ `rel="noopener noreferrer"`λ₯Ό ν¨κ» μΆκ°νμ¬ λΆλͺ¨ μ°½μ λν μ κ·Όμ μ°¨λ¨ν΄μΌ ν©λλ€. | ||
| ## 2026-07-01 - Add Trusted Types Policy via DOMPurify | ||
| **Vulnerability:** Application lacked Trusted Types enforcement, which left it potentially vulnerable to DOM-based XSS if DOM sinks (like `innerHTML`) were manipulated. | ||
| **Learning:** Enforcing `require-trusted-types-for 'script'` in CSP will crash Chromium-based browsers if they assign strings to DOM sinks without a registered policy. |
There was a problem hiding this comment.
Pull request overview
OpenCode reviewed the current-head evidence but found unresolved reviewer or review-agent threads before approval.
Findings
1. HIGH .github/workflows/opencode-review.yml:1 - Unresolved reviewer thread blocks automated approval
- Problem: OpenCode reached an APPROVE control result, but the approval step found unresolved, non-outdated human or review-agent thread evidence on the current pull request.
- Root cause: Reviewer and review-agent feedback can arrive after bounded model evidence is prepared, so the approval step must re-query GitHub immediately before publishing an approval.
- Fix: Address or resolve the listed reviewer thread(s), then re-run OpenCode on the current head.
- Regression test: Keep the approval gate querying reviewThreads(first: 100) after model output and before create_pull_review APPROVE, including bot review agents other than OpenCode itself.
Review thread evidence
Latest unresolved reviewer thread evidence
security.js line 7
- Latest reviewer comment: @copilot-pull-request-reviewer at 2026-07-01T16:36:27Z
- Comment URL: #42 (comment)
- Comment excerpt: 'trustedTypes.createPolicy('default', β¦)' can throw (e.g., if a default policy already exists), which would break page load. Also, the guard checks 'window.trustedTypes' but then uses the unqualified 'trustedTypes' identifier, and the policy assumes DOMPurify is always present. Consider using 'window.trustedTypes' consistently, checking 'window.DOMPurify', and wrapping policy creation in a try/catch so the page still loads if policy creation fails.
index.html line 28
- Latest reviewer comment: @copilot-pull-request-reviewer at 2026-07-01T16:36:27Z
- Comment URL: #42 (comment)
- Comment excerpt: The newly added scripts are render-blocking because they omit 'defer', while 'i18n.js' is already deferred. Since these scripts don't appear to be needed during initial HTML parsing, deferring them will avoid blocking and keep script execution order (DOMPurify β security policy β i18n) intact.
.jules/sentinel.md line 19
-
Latest reviewer comment: @copilot-pull-request-reviewer at 2026-07-01T16:36:27Z
-
Comment URL: #42 (comment)
-
Comment excerpt: In Chromium, Trusted Types enforcement typically throws a Trusted Types violation (e.g., a TypeError) rather than "crashing" the browser. Rewording avoids ambiguity and keeps the doc technically precise.
-
Result: REQUEST_CHANGES
-
Reason: unresolved reviewer or review-agent thread(s) were present before approval.
-
Head SHA:
d2338c5e7cae34c3d4c99f42ebe9b0751e94d94a -
Workflow run: 28532676057
-
Workflow attempt: 1
Changed-File Evidence Map
flowchart LR
PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
Evidence --> S1["Changed file (4 files)"]
S1 --> I1["repository behavior"]
I1 --> R1["Review risk: Changed file (4 files)"]
R1 --> V1["required checks"]
OpenCode Review Overview
Pull request overviewOpenCode reviewed the current-head evidence but found unresolved reviewer or review-agent threads before approval. Findings1. HIGH .github/workflows/opencode-review.yml:1 - Unresolved reviewer thread blocks automated approval
Review thread evidenceLatest unresolved reviewer thread evidence
|
π¨ Severity: HIGH
π‘ Vulnerability: μ ν리μΌμ΄μ μ Trusted Types μ μ± μ΄ κ°μ λμ§ μμ, μΆν DOM sink(μ: innerHTML)μ μ λ’°ν μ μλ λ°μ΄ν°κ° ν λΉλ κ²½μ° DOM κΈ°λ° XSS 곡격μ λ ΈμΆλ μνμ΄ μ‘΄μ¬νμ΅λλ€.
π― Impact: 곡격μκ° μ μ± μ€ν¬λ¦½νΈλ₯Ό μ£Όμ νμ¬ μ¬μ©μ λΈλΌμ°μ μμ μμμ μ½λλ₯Ό μ€ννκ±°λ μΈμ μ νμ·¨ν μ μμ΅λλ€.
π§ Fix:
index.htmlμ CSP μ€μ μrequire-trusted-types-for 'script'μ§μμ΄λ₯Ό μΆκ°νκ³ , ν립λ 보μ λΌμ΄λΈλ¬λ¦¬μΈ DOMPurifyλ₯Ό μ¬μ©ν΄ μ λ ₯μ μμ νκ² μλ νλ κΈ°λ³Έ(default) Trusted Types μ μ± μsecurity.jsμ λ±λ‘νμ΅λλ€. μ΄λ₯Ό ν΅ν΄ DOM sinkμ λ¬Έμμ΄μ΄ ν λΉλ λ μλμΌλ‘ μμ ν TrustedHTMLλ‘ λ³νλλλ‘ νμ¬ XSSλ₯Ό λ°©μ΄νκ³ ν¬λ‘λ―Έμ κΈ°λ° λΈλΌμ°μ μμμ μΆ©λμ μλ°©νμ΅λλ€.β Verification: κΈ°μ‘΄ i18n ν μ€νΈ μ€ν¬λ¦½νΈμ λμΌν νκ²½μμ λ‘컬 Playwright μ€ν¬λ¦½νΈλ₯Ό ν΅ν΄ μ±μ μ μ λ‘λ©κ³Ό ν μ€νΈ ν΅κ³Όλ₯Ό νμΈνμ΅λλ€. λΈλΌμ°μ μ½μμμ Trusted Types μ μ± μλ° μ€λ₯λ DOMPurifyλ‘ μΈν μΆ©λμ΄ λ°μνμ§ μμμ κ²μ¦νμ΅λλ€.
PR created automatically by Jules for task 1006353573105115304 started by @seonghobae