There is no single place to look up documentation for our stack. This card includes some hints where you can...
Rails is our web framework. Goals Be able to write a simple Rails application. Understand how Rails talks to the...
Understand at least the following CSS concepts: Classes Selecting elements for styling Basic styling (color, typography, spacing)
JavaScript code can access and manipulate the browser's DOM tree. Using JavaScript we can add interactive behavior to our...
Learn to read and write Haml. Understand the different attributes syntaxes (curly braces vs. round parentheses) Exercises Convert MovieDB...
Understand what Memoization is and when it can be useful. Understand the @variable ||= computation pattern. Learn how to use...
Understand why we use pagination Exercises Create 7500 movies in MovieDB (hint: Doing it in a single transaction is...
Learn to treat files as an ActiveRecord attribute type, like :string or :integer Research Look at the README for...
You have the following HTML structure:
If you want to run Javascript code whenever someone clicks on a ...
..., you...
A common task in web applications is to add client-side JavaScript behavior to existing HTML elements.
Web security basics Einführung in die Web Security 🇩🇪 provides essentials for the topic of this card. Read following chapters:
Understand how nested attributes appear in the params. See how the Rails form helpers encode the names of nested...
Resources RubyGuides: Mastering Ruby Regular Expressions Using regular expressions in JavaScript Testing regular expressions visually Regular Expressions: Quantifier modes...
Get an idea of the varying support for HTML/CSS/JavaScript features in different browsers like Chrome, Firefox, Internet Explorer, Edge...
While working on a Rails application, your code base will grow a collection of different file types including: Ruby (business...
We are using the BEM pattern ("Block, Element, Modifier") to structure our CSS in all new projects. We try to...
Just like we use gems on the server, we use third party JavaScript libraries in the browser. These typically provide...
In a web application you often need to move data between the client (HTML, Javascript) and the server (Ruby, Rails...
Jasmine is a great tool to unit test your JavaScript components without writing an expensive end-to-end test for...
If you've stumbled over display: grid while reading the Flexbox material of the previous card - we've got you...
Resources Rails Guide: Internationalization API Guide to localizing a Rails application Locale-aware helpers in ActionView::Helpers::NumberHelper
Action Mailer Basics and Previews Chapter "Task H1: Sending Confirmation Emails" from Agile Web Development with Rails (in our...
We've already learned how to integrate user-provided images uploads to our application in 205 basic file uploads and...
Best results in other decks
When you load a with a nonce, that script can await import() additional sources from any hostname. The nonce is propagated automatically for the one purpose of importing more scripts. This is not related to strict-dynamic, which propagates nonces for any propose not limited to imports (e.g. inserting elements). Example We have a restrictive CSP that only allows nonces: Content-Security-Policy: default-src 'none'; script-src 'nonce-secret123' Our HTML loads script.js using that nonce: Our script.js imports other.js without a nonce: let other = await import('other.js') console.log("Look, script.js has imported %o", other) The import succeeds without a nonce, due to implicit nonce propagation. Why this is useful In modern build pipelines, code splitting (chunking) is implemented using dynamic imports. Nonce propagation allows us to use automatic chunking with restrictive, nonce-based CSPs without using strict-dynamic. E.g. esbuild automatically groups dynamically imported modules into chunks, and writes that chunk to disk. The compiled build has an await import('assets/chunk-NAXSMFJV.js'). There's no way to inject a nonce into that import(), but implicit nonce propagation still allows the request. Should I worry about this? It would require some truly strange code for user input to make it into an import() argument. I wouldn't lose sleep over this. Is this a browser bug? It is by design. Here are some sources: HTML Spec Section 8 (Web Application APIs) (search for "descendant script fetch options") Chromium test ensuring none propagation Firefox bug implementing nonce propagation CSP issue: Someone concerned about propagation being a vulnerability CSP issue: Proposal for import-src that went nowhere Are other CSP sources also propagated? No, only nonces. In particular host-based CSPs do not propagate trust. For example, you only allow scripts from our own host (no nonces): Content-Security-Policy: default-src 'none'; script-src 'self' Our HTML loads script.js from our own host: Our script.js imports other.js from a different host: let other = await import('https://other-host.com/other.js') This fails with a CSP violation: Executing inline script violates the following Content Security Policy directive 'script-src 'self''
Below is a strict, but still workable Content Security Policy for your Ruby on Rails project. Use this CSP if...