A flaky test is a test that is often green, but sometimes red. It may only fail on some PCs...
If you want Sidekiq to be able to talk to Redis on staging and production servers, you need to add...
Within development and test environments, Rails is usually configured to show a detailed debug page instead of 404s. However, there...
This RailsCast demonstrated a very convenient method to activate VCR for a spec by simply tagging it with :vcr.
RSpec is smart when using the include-matcher in combination with .not_to. One could assume that .not_to include...
Inspired by recent "git shortcut" cards I figured it would be nice to have one of these for rebasing a...
Event delegation is a pattern where a container element has a single event listener that handles events for all descendants...
Sometimes a link or input field has no visible label. E.g. a text field with a magnifying glass icon 🔎 and...
Besides their default styling properties, HTML elements have a semantic meaning. For example, an h1 tag is usually styled with...
Ruby lets you re-use existing RegExp objects by interpolating it into new patterns: locales_pattern = /de|en|fr|es/i...
The RSpec matcher tests if two HTML fragments are equivalent. Equivalency means: Whitespace is ignored Types of attribute quotes are...
We are using Spring in our tests for sequential test execution but not for parallel test execution. And Rails requires...
Bookmarks for directories will be most helpful if you are forced to work in deeply nested projects. Then it's...
With cd .. you can navigate one directory up from the one you are at now. If you use that a...
There is an option you can set so that when using the cd command, small typos are automatically corrected. Add...
The attached compiler() function below applies JavaScript behavior to matching HTML elements as they enter the DOM. This works like...
Given you have a strict CSP that only allows elements from your own domain: Content-Security-Policy: script-src 'self' This will block JavaScript handlers inlined as attribute into your HTML elements. Clicking on the following link will only log an error with a strict CSP: click me click me Solution 1: Move the handler into your JavaScript The recommended solution is to move the handler from the HTML to the allowed JavaScript file that we loaded via . In the example above we could invent a new [data-alert] attribute with the alert message: click me Then our JavaScript intercepts clicks on elements with that attribute: document.addEventListener('click', function(event) { let link = event.target.closest('[data-alert]') if (link) { let message = link.dataset.alert alert(message) event.preventDefault() } }) Solution 2: Allow that one handler in your CSP Some browsers allow the CSP directive script-src-attr. This lets you allow the hashes of actual JavaScript code. The SHA256 hash of alert('hello') is vIsp2avtxDy0157AryO+jEJVpLdmka7PI7o7C4q5ABE= (in Base64). We can allow this one event handlers like this: Content-Security-Policy: script-src 'self'; script-src-attr 'unsafe-hashes' 'sha256-vIsp2avtxDy0157AryO+jEJVpLdmka7PI7o7C4q5ABE=' Note the sha256- prefix. This event handler now works when clicked: click me But any other script will still be blocked: click me Dealing with legacy browsers Currently (November 2023) about 75% of browsers support script-src-attr. Here is a forward-looking compromise that many users use with new CSP features: Have a liberal CSP with old directives supported by all browsers Make your CSP stricter with new, more specific directives for browsers that support it The CSP spec supports that approach in that using newer, more specific directives disable older, more general features. In our case this means: For old browsers, allow all inline scripts For new browsers, disallow inline scripts but allow inline handlers with given hashes Here is a CSP directive that works like this: Content-Security-Policy: script-src 'self' 'unsafe-inline'; script-src-elem 'self'; script-src-attr 'unsafe-hashes' 'sha256-vIsp2avtxDy0157AryO+jEJVpLdmka7PI7o7C4q5ABE=' Old browsers will only use script-src. New browsers will use script-src-elem (for tags) and script-src-attr (for inline event handlers), which override the more liberal rules from script-src. Solution 3: Don't use a strict CSP You can have a secure web application without a strict CSP. A Content Security Policy should never be your first line of defense against Cross-Site-Scripting (XSS). Your primary tool should be to escape and sanitize user input. Many template engines make it easy to do the right thing by escaping dynamic content by default. A CSP is a second security net. It's there when you slip up and somehow, somewhere don't sanitize user input. Depending on your project, you may decide to prioritize developer convenience over a strict CSP.
Our gem spreewald supports a few helpers for development. In case you notice errors in your Cucumber tests, you might...
When using custom properties in your stylesheets, you may want to set a specific property value to an existing variable...
It seems like changing the HTTP_ACCEPT_LANGUAGE is not possible for a headless chrome. On Ubuntu the headless Chrome...
Formerly 301 (Moved Permanently) and 302 (Found) were used for redirecting. Browsers did implement them in different ways, so since...
If you have a flaky command you can use the nick-invision/retry to re-try a failing command, optionally...
Accessing other repositories in Gitlab CI is not straight forward, since the access rights of the current pipeline might not...
Capybara added a deprecation warning in version 3.35.3 (version from 2019) that shows up if your selector is not of...