You want to use fields in your applications. However, your desktop users may encounter some weird quirks: Aside from allowing...
The gem better_errors offers a detailed error page with an interactive REPL for better debugging. I had the issue...
Inspired by recent "git shortcut" cards I figured it would be nice to have one of these for rebasing a...
Besides their default styling properties, HTML elements have a semantic meaning. For example, an h1 tag is usually styled with...
Most browsers have built-in drag and drop support for different page elements like text and images. While this may...
The RSpec matcher tests if two HTML fragments are equivalent. Equivalency means: Whitespace is ignored Types of attribute quotes are...
Rails has the handy controller method send_file which lets us download files easily. We can decide whether the file...
Given you have a strict CSP that only allows elements from your own domain: Content-Security-Policy: script-src 'self' This will block JavaScript handlers inlined as attribute into your HTML elements. Clicking on the following link will only log an error with a strict CSP: click me click me Solution 1: Move the handler into your JavaScript The recommended solution is to move the handler from the HTML to the allowed JavaScript file that we loaded via . In the example above we could invent a new [data-alert] attribute with the alert message: click me Then our JavaScript intercepts clicks on elements with that attribute: document.addEventListener('click', function(event) { let link = event.target.closest('[data-alert]') if (link) { let message = link.dataset.alert alert(message) event.preventDefault() } }) Solution 2: Allow that one handler in your CSP Some browsers allow the CSP directive script-src-attr. This lets you allow the hashes of actual JavaScript code. The SHA256 hash of alert('hello') is vIsp2avtxDy0157AryO+jEJVpLdmka7PI7o7C4q5ABE= (in Base64). We can allow this one event handlers like this: Content-Security-Policy: script-src 'self'; script-src-attr 'unsafe-hashes' 'sha256-vIsp2avtxDy0157AryO+jEJVpLdmka7PI7o7C4q5ABE=' Note the sha256- prefix. This event handler now works when clicked: click me But any other script will still be blocked: click me Dealing with legacy browsers Currently (November 2023) about 75% of browsers support script-src-attr. Here is a forward-looking compromise that many users use with new CSP features: Have a liberal CSP with old directives supported by all browsers Make your CSP stricter with new, more specific directives for browsers that support it The CSP spec supports that approach in that using newer, more specific directives disable older, more general features. In our case this means: For old browsers, allow all inline scripts For new browsers, disallow inline scripts but allow inline handlers with given hashes Here is a CSP directive that works like this: Content-Security-Policy: script-src 'self' 'unsafe-inline'; script-src-elem 'self'; script-src-attr 'unsafe-hashes' 'sha256-vIsp2avtxDy0157AryO+jEJVpLdmka7PI7o7C4q5ABE=' Old browsers will only use script-src. New browsers will use script-src-elem (for tags) and script-src-attr (for inline event handlers), which override the more liberal rules from script-src.
You can scale background images in CSS to the container size using background-size (Demo). Commonly, we use contain or...
When using custom properties in your stylesheets, you may want to set a specific property value to an existing variable...
Formerly 301 (Moved Permanently) and 302 (Found) were used for redirecting. Browsers did implement them in different ways, so since...
If you have a flaky command you can use the nick-invision/retry to re-try a failing command, optionally...
After switching a project from Sprockets to Webpack, I started observing a bug that was hard to debug: Our...
We recently noticed issues with Chrome 75+ when having the w3c option enabled within the Selenium webdriver. It looks like...
When testing JavaScript functionality in Selenium (E2E), you may need to access a class or function inside of a evaluate...
rspec >= 3.1 brings a method and_wrap_original. It seems a bit complicated at first, but there are use cases...
When dealing with external data sources, you may have to deal with improperly encoded strings. While you should prefer deciding...
If your Webpack build is slow, you can use the Speed Measure Plugin for Webpack to figure out where time...
Webpack builds can take a long time, so we only want to compile when needed. This card shows what will...
Use rules to include or exclude jobs in pipelines. Rules are evaluated in order until the first match. When a...
Installing gems on a server that has no access to the internet (especially rubygems.org) requires to bundle the gems into...
If a project ist configured to spawn CI runners for tests or deployment when pushing to the Repo, a habit...
To attach files to your records, you will need a new database column representing the filename of the file...
Ruby 3.0 introduced a breaking change in how it treats keyword arguments. There is an excellent blog post on the...