Method lookup Understand all the terms in How Ruby method lookup works, in particular: include extend singleton class
Your MovieDB gained traction and is now a popular tool among cineasts. This comes with a downside: You noticed a...
Exercise 1: Maps In MovieDB, add a new field “Principal filming location”. In a movie’s show view, geocode that...
Exercise 1: XML On the start page of your Movie DB, show the title of a random movie that is...
Jasmine is a great tool to unit test your JavaScript components without writing an expensive end-to-end test for...
Learn to store attachments in a way that is accessible by authorized users only Learn to prevent users from...
Read the following material: World's shortest UI/UX design course Easiest Way to Pick UI Colors
If you've stumbled over display: grid while reading the Flexbox material of the previous card - we've got you...
Many of our clients can't or don't want to design their user interfaces. In the absence of a...
In our daily life as web developers we are constantly faced with technical problems that can be solved with a...
Adopting legacy Rails apps Talk to your mentor about how we're approaching applications that are either old or abandoned...
Goal of this lesson is to understand what middlewares in Rack are good for. Rack Start with these articles:
Some tasks in a web application are better not done live when a user request a page, but in the...
Resources Rails Guide: Internationalization API Guide to localizing a Rails application Locale-aware helpers in ActionView::Helpers::NumberHelper
Action Mailer Basics and Previews Chapter "Task H1: Sending Confirmation Emails" from Agile Web Development with Rails (in our...
Web technology is a broad field and you cannot be an expert in all aspects. However, it is useful to...
What is rake good for? Take a look at some of the Rake tasks that Rails gives you (rake...
For each movie in MovieDB, we want to track which other movie it was inspired by. For...
While the Software Design Basics card tried to make a point about writing self explanatory code, it's still...
Rails ships with two separate build pipelines: Sprockets ("asset pipeline") and Webpacker. Webpacker has many more moving parts, but allows...
Talk with a colleague and find out why we're using building some of our sites using static site...
We've already learned how to integrate user-provided images uploads to our application in 205 basic file uploads and...
Best results in other decks
When you load a with a nonce, that script can await import() additional sources from any hostname. The nonce is propagated automatically for the one purpose of importing more scripts. This is not related to strict-dynamic, which propagates nonces for any propose not limited to imports (e.g. inserting elements). Example We have a restrictive CSP that only allows nonces: Content-Security-Policy: default-src 'none'; script-src 'nonce-secret123' Our HTML loads script.js using that nonce: Our script.js imports other.js without a nonce: let other = await import('other.js') console.log("Look, script.js has imported %o", other) The import succeeds without a nonce, due to implicit nonce propagation. Why this is useful In modern build pipelines, code splitting (chunking) is implemented using dynamic imports. Nonce propagation allows us to use automatic chunking with restrictive, nonce-based CSPs without using strict-dynamic. E.g. esbuild automatically groups dynamically imported modules into chunks, and writes that chunk to disk. The compiled build has an await import('assets/chunk-NAXSMFJV.js'). There's no way to inject a nonce into that import(), but implicit nonce propagation still allows the request. Should I worry about this? It would require some truly strange code for user input to make it into an import() argument. I wouldn't lose sleep over this. Is this a browser bug? It is by design. Here are some sources: HTML Spec Section 8 (Web Application APIs) (search for "descendant script fetch options") Chromium test ensuring none propagation Firefox bug implementing nonce propagation CSP issue: Someone concerned about propagation being a vulnerability CSP issue: Proposal for import-src that went nowhere Are other CSP sources also propagated? No, only nonces. In particular host-based CSPs do not propagate trust. For example, you only allow scripts from our own host (no nonces): Content-Security-Policy: default-src 'none'; script-src 'self' Our HTML loads script.js from our own host: Our script.js imports other.js from a different host: let other = await import('https://other-host.com/other.js') This fails with a CSP violation: Executing inline script violates the following Content Security Policy directive 'script-src 'self''
Below is a strict, but still workable Content Security Policy for your Ruby on Rails project. Use this CSP if...