When you load a with a nonce, that script can await import() additional sources from any hostname. The nonce is propagated automatically for the one purpose of importing more scripts. This is not related to strict-dynamic, which propagates nonces for any propose not limited to imports (e.g. inserting elements). Example We have a restrictive CSP that only allows nonces: Content-Security-Policy: default-src 'none'; script-src 'nonce-secret123' Our HTML loads script.js using that nonce: Our script.js imports other.js without a nonce: let other = await import('other.js') console.log("Look, script.js has imported %o", other) The import succeeds without a nonce, due to implicit nonce propagation. Why this is useful In modern build pipelines, code splitting (chunking) is implemented using dynamic imports. Nonce propagation allows us to use automatic chunking with restrictive, nonce-based CSPs without using strict-dynamic. E.g. esbuild automatically groups dynamically imported modules into chunks, and writes that chunk to disk. The compiled build has an await import('assets/chunk-NAXSMFJV.js'). There's no way to inject a nonce into that import(), but implicit nonce propagation still allows the request. Should I worry about this? It would require some truly strange code for user input to make it into an import() argument. I wouldn't lose sleep over this. Is this a browser bug? It is by design. Here are some sources: HTML Spec Section 8 (Web Application APIs) (search for "descendant script fetch options") Chromium test ensuring none propagation Firefox bug implementing nonce propagation CSP issue: Someone concerned about propagation being a vulnerability CSP issue: Proposal for import-src that went nowhere Are other CSP sources also propagated? No, only nonces. In particular host-based CSPs do not propagate trust. For example, you only allow scripts from our own host (no nonces): Content-Security-Policy: default-src 'none'; script-src 'self' Our HTML loads script.js from our own host: Our script.js imports other.js from a different host: let other = await import('https://other-host.com/other.js') This fails with a CSP violation: Executing inline script violates the following Content Security Policy directive 'script-src 'self''
Below is a strict, but still workable Content Security Policy for your Ruby on Rails project. Use this CSP if...
If you need to implement newsletter sending, rapidmail is a solid option. Support is very fast, friendly and helpful, and...
When creating a database table for a join model without further importance, you can use Rails' create_join_table:
Follow the installation guidelines at https://mise.jdx.dev/getting-started.html. Remove rbenv configuration Search for rbenv config in .bashrc and...
When you replace parts of the DOM with new HTML, using .innerHTML = newHtml is usually the simplest and fastest option...
Compatibility: Angular 20+ with Jasmine 5.x and Karma 6.x As a default Angular CLI auto-generates test bootstrap...
You want to prevent input to a form field, but all the solutions have side effects: The [readonly] attribute is...
Quick reference for passing data from Rails to JavaScript via Unpoly compilers. Haml Attribute Syntax # Ising hash rockets and string...
Quick guide for frequently used compiler selector patterns of Unpoly. 1. BEM Component Pattern When: Reusable UI components with multiple...
prettier calls itself an opinionated code formatter. I recommend using it for your JavaScript and TypeScript code. prettier only concerns...
If you run a Rails app that is using Turbo, you might observe that your integration tests are unstable depending...
SimpleForm comes with an option browser_validations which could be used to give fields that have a presence validation the...
The DB schema is the most important source of truth for your application and should be very self-explanatory. If...
It can be hard to understand what causes a browser scroll smoothly or instantly. CSS, JavaScript and the browser settings...
Say you wrap your index view in a form to apply different filters like pagination or a search query. On...
Here is a workaround for when you want to use text-wrap: balance but must also render nicely for browsers...
DirectUpload allows you to upload files to your file storage without having to wait for the form to submit. It...
Haml renders HTML with indentation reflecting the nesting level of elements. When it comes to white-space preserving content, this...
When debugging slow SQL queries, it’s helpful to understand the database engine's query plan. Whenever you execute a...
Hint If you are using our opscomplete.com hosting we can set all environment variables mentioned below for your deployment on...
Text fragments allow linking directly to a specific portion of text in a web document, without requiring the author to...
Rails' fragment caching caches subtrees of an HTML document tree. While constructing that tree though, it can be really hard...
Whenever you have to deal with randomness in a jasmine test there are some spy strategies to help you out...