Hybrid search runs a vector query and a keyword query in parallel against the same documents and merges the two...
Getting parseable output back from an LLM has two halves: shaping the request, then parsing the response. Even with Ollama...
RAG is often equated with vector databases, embeddings, and semantic search. But RAG ("Retrieval-Augmented Generation") really is just 'put...
By default, Ollama produces non-deterministic output: The same prompt will yield slightly different results each time. To get reproducible...
I've updated my "claude wants user input" script. It's now a bit more complicated, but it will now...
I find it annoying to iterate on a spec that relies on a recorded VCR casette. You constantly have to...
You can report CSP violations to a log file. Note that there will be a lots of noise, that is...
When you load a with a nonce, that script can await import() additional sources from any hostname. The nonce is propagated automatically for the one purpose of importing more scripts. This is not related to strict-dynamic, which propagates nonces for any propose not limited to imports (e.g. inserting elements). Example We have a restrictive CSP that only allows nonces: Content-Security-Policy: default-src 'none'; script-src 'nonce-secret123' Our HTML loads script.js using that nonce: Our script.js imports other.js without a nonce: let other = await import('other.js') console.log("Look, script.js has imported %o", other) The import succeeds without a nonce, due to implicit nonce propagation. Why this is useful In modern build pipelines, code splitting (chunking) is implemented using dynamic imports. Nonce propagation allows us to use automatic chunking with restrictive, nonce-based CSPs without using strict-dynamic. E.g. esbuild automatically groups dynamically imported modules into chunks, and writes that chunk to disk. The compiled build has an await import('assets/chunk-NAXSMFJV.js'). There's no way to inject a nonce into that import(), but implicit nonce propagation still allows the request. Should I worry about this? It would require some truly strange code for user input to make it into an import() argument. I wouldn't lose sleep over this. Is this a browser bug? It is by design. Here are some sources: HTML Spec Section 8 (Web Application APIs) (search for "descendant script fetch options") Chromium test ensuring none propagation Firefox bug implementing nonce propagation CSP issue: Someone concerned about propagation being a vulnerability CSP issue: Proposal for import-src that went nowhere Are other CSP sources also propagated? No, only nonces. In particular host-based CSPs do not propagate trust. For example, you only allow scripts from our own host (no nonces): Content-Security-Policy: default-src 'none'; script-src 'self' Our HTML loads script.js from our own host: Our script.js imports other.js from a different host: let other = await import('https://other-host.com/other.js') This fails with a CSP violation: Executing inline script violates the following Content Security Policy directive 'script-src 'self''
Below is a strict, but still workable Content Security Policy for your Ruby on Rails project. Use this CSP if...
When working with file uploads, we sometimes need to process intrinsic properties like the page count or page dimensions of...
If you need to implement newsletter sending, rapidmail is a solid option. Support is very fast, friendly and helpful, and...
In rare circumstances, you want to use a websites full domain (say https://mywebsite.com) while testing in dev mode. This...
I use the Gemini web chat interface quite extensively. One thing that is tedious is giving it all the context...
If your rubocop run fails with a stack like rubocop-1.61.0/lib/rubocop/server/socket_reader.rb:36:in `ensure in read!': undefined method `string...
Event listeners are called in the order of their registration: button.addEventListener('click', () => console.log("I run first")) button.addEventListener('click', () => console.log("I...
The :test adapter doesn't respect limits_concurrency configuration. Switch to :solid_queue adapter in your test to verify blocking...
If you use the selenium-webdriver gem, it will sneakily phone home once every hour whenever you run a browser...
I recently had to update a few selective npm libraries in a project that uses pnpm to apply a CVE...
Finding changes When you're looking for a specific change in Git, there are multiple axes you can choose:
The File System Access API is a new capability of modern browsers that allows us to iterate over selected folders...
Enable local logging for Sentry when: Debugging Sentry event capture locally Testing error handling without polluting production metrics Developing background...
Quick reference for passing data from Rails to JavaScript via Unpoly compilers. Haml Attribute Syntax # Ising hash rockets and string...
GoodJob and ActiveJob rescue exceptions internally, preventing exception_notification from triggering. This can cause silent job failures.To get notified, subscribe...
prettier calls itself an opinionated code formatter. I recommend using it for your JavaScript and TypeScript code. prettier only concerns...