When you load a with a nonce, that script can await import() additional sources from any hostname. The nonce is propagated automatically for the one purpose of importing more scripts. This is not related to strict-dynamic, which propagates nonces for any propose not limited to imports (e.g. inserting elements). Example We have a restrictive CSP that only allows nonces: Content-Security-Policy: default-src 'none'; script-src 'nonce-secret123' Our HTML loads script.js using that nonce: Our script.js imports other.js without a nonce: let other = await import('other.js') console.log("Look, script.js has imported %o", other) The import succeeds without a nonce, due to implicit nonce propagation. Why this is useful In modern build pipelines, code splitting (chunking) is implemented using dynamic imports. Nonce propagation allows us to use automatic chunking with restrictive, nonce-based CSPs without using strict-dynamic. E.g. esbuild automatically groups dynamically imported modules into chunks, and writes that chunk to disk. The compiled build has an await import('assets/chunk-NAXSMFJV.js'). There's no way to inject a nonce into that import(), but implicit nonce propagation still allows the request. Should I worry about this? It would require some truly strange code for user input to make it into an import() argument. I wouldn't lose sleep over this. Is this a browser bug? It is by design. Here are some sources: HTML Spec Section 8 (Web Application APIs) (search for "descendant script fetch options") Chromium test ensuring none propagation Firefox bug implementing nonce propagation CSP issue: Someone concerned about propagation being a vulnerability CSP issue: Proposal for import-src that went nowhere Are other CSP sources also propagated? No, only nonces. In particular host-based CSPs do not propagate trust. For example, you only allow scripts from our own host (no nonces): Content-Security-Policy: default-src 'none'; script-src 'self' Our HTML loads script.js from our own host: Our script.js imports other.js from a different host: let other = await import('https://other-host.com/other.js') This fails with a CSP violation: Executing inline script violates the following Content Security Policy directive 'script-src 'self''
In some projects we have issues with flaky tests. The best default is to fix them all. But in some...
I use the Gemini web chat interface quite extensively. One thing that is tedious is giving it all the context...
Knapsack allows you to rerun a specific job locally. This is helpful to run specs in the exactly same order...
If you use the selenium-webdriver gem, it will sneakily phone home once every hour whenever you run a browser...
Most of our CI pipelines don't use the --retry flag for Cucumber and instead build their own retry via...
Compatibility: Angular 20+ with Jasmine 5.x and Karma 6.x As a default Angular CLI auto-generates test bootstrap...
When RSpec sets out to print any given object to the console, it will never print more than 200 characters...
Coverage reports are rarely useful if you run only small parts of your test suite. Just do not load SimpleCov...
RSpec examples can get quite long, especially in feature specs. This makes them hard to read & understand. Also, when executing...
When RSpecs runs the first feature spec, you may see log output like this: Capybara starting Puma... * Version 6.5.0, codename...
Currently we often use geordi to run cucumber and rspec tests. Geordi takes care of installing a matching chromedriver for...
In Rails 7.2 the new default for config.action_dispatch.show_exceptions is rescuable. :rescuable: It will show a Rails error page in...
Frontend performance and user experience are orthogonal to feature development. If care is not taken, adding features usually degrades frontend...
When you repeat complex assertions in your tests multiple times, it might be a good idea to extract a custom...
For Selenium tests, your browser starts in your local timezone, or whatever your system's environment specifies. This is usually...
There are several ways to run a single spec. I usually copy the spec file path with the line number...
In FactoryBot factories, Rails' file_fixture is not available by default. To enable it, include a support module from rspec...
Slow test suites are a major pain point in projects, often due to RSpec and FactoryBot. Although minitest and fixtures...
When handling nested hashes the RSpec output is often hard to read. Here the gem super_diff could help.
Starting with ChromeDriver 127, if your application displays a beforeunload confirmation dialog, ChromeDriver will immediately close it. In consequence, any...
With this command you can run all the spec files which have been edited or added in the current branch...
tl;dr To adjust code templates in RubyMine, navigate to Settings -> Editor -> File and Code Templates. Example You can navigate...
Modern JavaScript includes Intl.NumberFormat to format numbers in different formats and locales. In this card, we describe a wrapper for...