Git is our version control system. Goals Understand why we use git. Learn how to work with your local repository...
JavaScript is a scripting language supported by all browsers. Browsers don't speak Ruby, so if we want to implement...
In this card we will learn to write code that scales with a large number of database records. We will...
When your code does not behave as expected, you can use a debugger statement ("breakpoint") at any point in your...
Built-in matchers Get an overview of all the matchers that are built into RSpec. Play with some of...
Learn Enough Command Line to be Dangerous (it's in our library => Google Drive) CLI tricks every developer should...
Understand why we use pagination Exercises Create 7500 movies in MovieDB (hint: Doing it in a single transaction is...
Read the Rails Guide about Active Record migrations Understand why we never use models in migrations. Checkout the repository...
Understand the differences between git diff and git diff --staged (or git diff --cached) Understand the difference between git...
What is a Cookie? Google it if you do not know. How are cookies transferred between your browser and...
Stepping forward from JavaScript Basics, the goal of this card is for you to be able to read and write...
Understand how asynchronous JavaScript works: Read Henning's presentation about asynchronous Javascript (there's also a German video presentation...
For each movie in MovieDB, we want to track which other movie it was inspired by. For...
Best results in other decks
When you load a with a nonce, that script can await import() additional sources from any hostname. The nonce is propagated automatically for the one purpose of importing more scripts. This is not related to strict-dynamic, which propagates nonces for any propose not limited to imports (e.g. inserting elements). Example We have a restrictive CSP that only allows nonces: Content-Security-Policy: default-src 'none'; script-src 'nonce-secret123' Our HTML loads script.js using that nonce: Our script.js imports other.js without a nonce: let other = await import('other.js') console.log("Look, script.js has imported %o", other) The import succeeds without a nonce, due to implicit nonce propagation. Why this is useful In modern build pipelines, code splitting (chunking) is implemented using dynamic imports. Nonce propagation allows us to use automatic chunking with restrictive, nonce-based CSPs without using strict-dynamic. E.g. esbuild automatically groups dynamically imported modules into chunks, and writes that chunk to disk. The compiled build has an await import('assets/chunk-NAXSMFJV.js'). There's no way to inject a nonce into that import(), but implicit nonce propagation still allows the request. Should I worry about this? It would require some truly strange code for user input to make it into an import() argument. I wouldn't lose sleep over this. Is this a browser bug? It is by design. Here are some sources: HTML Spec Section 8 (Web Application APIs) (search for "descendant script fetch options") Chromium test ensuring none propagation Firefox bug implementing nonce propagation CSP issue: Someone concerned about propagation being a vulnerability CSP issue: Proposal for import-src that went nowhere Are other CSP sources also propagated? No, only nonces. In particular host-based CSPs do not propagate trust. For example, you only allow scripts from our own host (no nonces): Content-Security-Policy: default-src 'none'; script-src 'self' Our HTML loads script.js from our own host: Our script.js imports other.js from a different host: let other = await import('https://other-host.com/other.js') This fails with a CSP violation: Executing inline script violates the following Content Security Policy directive 'script-src 'self''
You may remember to use the || operator with caution to set defaults. We'll see that && and other conditionals come...