It's quite frustrating to come back to a coding agent after a while only to see that it needed...
When you load a with a nonce, that script can await import() additional sources from any hostname. The nonce is propagated automatically for the one purpose of importing more scripts. This is not related to strict-dynamic, which propagates nonces for any propose not limited to imports (e.g. inserting elements). Example We have a restrictive CSP that only allows nonces: Content-Security-Policy: default-src 'none'; script-src 'nonce-secret123' Our HTML loads script.js using that nonce: Our script.js imports other.js without a nonce: let other = await import('other.js') console.log("Look, script.js has imported %o", other) The import succeeds without a nonce, due to implicit nonce propagation. Why this is useful In modern build pipelines, code splitting (chunking) is implemented using dynamic imports. Nonce propagation allows us to use automatic chunking with restrictive, nonce-based CSPs without using strict-dynamic. E.g. esbuild automatically groups dynamically imported modules into chunks, and writes that chunk to disk. The compiled build has an await import('assets/chunk-NAXSMFJV.js'). There's no way to inject a nonce into that import(), but implicit nonce propagation still allows the request. Should I worry about this? It would require some truly strange code for user input to make it into an import() argument. I wouldn't lose sleep over this. Is this a browser bug? It is by design. Here are some sources: HTML Spec Section 8 (Web Application APIs) (search for "descendant script fetch options") Chromium test ensuring none propagation Firefox bug implementing nonce propagation CSP issue: Someone concerned about propagation being a vulnerability CSP issue: Proposal for import-src that went nowhere Are other CSP sources also propagated? No, only nonces. In particular host-based CSPs do not propagate trust. For example, you only allow scripts from our own host (no nonces): Content-Security-Policy: default-src 'none'; script-src 'self' Our HTML loads script.js from our own host: Our script.js imports other.js from a different host: let other = await import('https://other-host.com/other.js') This fails with a CSP violation: Executing inline script violates the following Content Security Policy directive 'script-src 'self''
Below is a strict, but still workable Content Security Policy for your Ruby on Rails project. Use this CSP if...
When working with file uploads, we sometimes need to process intrinsic properties like the page count or page dimensions of...
I recently encountered this error as I was trying to build assets: $ node esbuild.config.js .../node_modules/esbuild-plugin-browserslist/dist/resolveToEsbuildTarget.js:43 throw new Error('Could...
Postgres supports multiple built-in range datatypes: int4range int8range numrange tsrange (range with timestamp without timezone) tstzrange (range with timestamp...
You may remember to use the || operator with caution to set defaults. We'll see that && and other conditionals come...
In rare circumstances, you want to use a websites full domain (say https://mywebsite.com) while testing in dev mode. This...
TypeScript basically uses structural typing, which is conceptually quite similar to duck typing, but with static compile-time type checking...
Leaving old unused DB columns around after a migration is confusing for other developers. However, dropping columns too eagerly might...
I use the Gemini web chat interface quite extensively. One thing that is tedious is giving it all the context...
Event listeners are called in the order of their registration: button.addEventListener('click', () => console.log("I run first")) button.addEventListener('click', () => console.log("I...
I recently had to update a few selective npm libraries in a project that uses pnpm to apply a CVE...
Sometimes you have a maintenance script where you want to iterate over all ActiveRecord models. Rails provides this out of...
When creating a database table for a join model without further importance, you can use Rails' create_join_table:
When you query the browser for DOM elements, there are some footguns you should know about. Some lists are synchronized...
Finding changes When you're looking for a specific change in Git, there are multiple axes you can choose:
When you replace parts of the DOM with new HTML, using .innerHTML = newHtml is usually the simplest and fastest option...
Most of the time, it's a good default to add a unique index on the foreign key when using...
Full-text search can reach its limits in terms of flexibility and performance. In such cases, trigram indexes (pg_trgm...
Quick guide for frequently used compiler selector patterns of Unpoly. 1. BEM Component Pattern When: Reusable UI components with multiple...
The linked tool can be used to scan your CI/CD workflows for potential security issues and suboptimal defaults if they...
In Rails 8 the behavior of the rails db:migrate command has changed for fresh databases (see PR #52830).
I had to modify the time for an application that I launch through Docker. Here is an approach that worked...