For my computer science bachelor's thesis I programmed and evaluated a CLI Test Case Prioritization (TCP) tool for makandra...
Git log offers useful options for filtering. This card provides a short overview. By message Only commits that include a...
Suppose you want to implement a publish/subscribe pattern in your Frontend application to react to data changes and events. First...
When RubyMine reports Rubocop returning "exit code -1", upgrading Rubocop can be the fix: gem install rubocop "The logs" can...
Splitting up commits makes the process of reviewing often easier, since you can create several merge requests or review every...
tl;dr asdf allows you to manage multiple runtime versions with a single CLI tool and is backwards compatible by...
This is a checklist I use to work on issues. For this purpose I extracted several cards related to the...
Sometimes I ran across a GitHub merge request of a gem where it was not completely obvious in which version...
Our CI setup frequently sees this error while running yarn install: yarn install v1.22.19 [1/4] Resolving packages... [2/4] Fetching packages...
In a Jasmine spec you want to spy on a function that is imported by the code under test. This...
You have uncommited changes (you can always check by using git status), which you want to discard.
If you want to see the git history of a project file, that doesn't exist anymore, the normal git...
In case you have trouble with the zeitwerk autoloader, you can check out the documentation Autoloading and Reloading Constants and...
It might sometimes be useful to check whether your Rails application accesses the file system unnecessarily, for example if your...
We use foreman to start all necessary processes for an application, which are declared in a Procfile. This is very...
You want to deploy new features but the latest commits are not ready for production? Then use git merge master...
Jasmine has spyOnProperty(), but it only works if the property is implemented using getter and setter functions. This is a...
Inspired by recent "git shortcut" cards I figured it would be nice to have one of these for rebasing a...
Event delegation is a pattern where a container element has a single event listener that handles events for all descendants...
git --fixup is very handy to amend a change to a previous commit. You can then autosquash your commits with...
It is generally discouraged to load your JavaScript by a tag in the : The reason is that a tag will pause the DOM parser until the script has loaded and executed. This will delay the browser's first contentful paint. A much better default is to load your scripts with a tag: A deferred script has many...
Given you have a strict CSP that only allows elements from your own domain: Content-Security-Policy: script-src 'self' This will block JavaScript handlers inlined as attribute into your HTML elements. Clicking on the following link will only log an error with a strict CSP: click me click me Solution 1: Move the handler into your JavaScript The recommended solution is to move the handler from the HTML to the allowed JavaScript file that we loaded via . In the example above we could invent a new [data-alert] attribute with the alert message: click me Then our JavaScript intercepts clicks on elements with that attribute: document.addEventListener('click', function(event) { let link = event.target.closest('[data-alert]') if (link) { let message = link.dataset.alert alert(message) event.preventDefault() } }) Solution 2: Allow that one handler in your CSP Some browsers allow the CSP directive script-src-attr. This lets you allow the hashes of actual JavaScript code. The SHA256 hash of alert('hello') is vIsp2avtxDy0157AryO+jEJVpLdmka7PI7o7C4q5ABE= (in Base64). We can allow this one event handlers like this: Content-Security-Policy: script-src 'self'; script-src-attr 'unsafe-hashes' 'sha256-vIsp2avtxDy0157AryO+jEJVpLdmka7PI7o7C4q5ABE=' Note the sha256- prefix. This event handler now works when clicked: click me But any other script will still be blocked: click me Dealing with legacy browsers Currently (November 2023) about 75% of browsers support script-src-attr. Here is a forward-looking compromise that many users use with new CSP features: Have a liberal CSP with old directives supported by all browsers Make your CSP stricter with new, more specific directives for browsers that support it The CSP spec supports that approach in that using newer, more specific directives disable older, more general features. In our case this means: For old browsers, allow all inline scripts For new browsers, disallow inline scripts but allow inline handlers with given hashes Here is a CSP directive that works like this: Content-Security-Policy: script-src 'self' 'unsafe-inline'; script-src-elem 'self'; script-src-attr 'unsafe-hashes' 'sha256-vIsp2avtxDy0157AryO+jEJVpLdmka7PI7o7C4q5ABE=' Old browsers will only use script-src. New browsers will use script-src-elem (for tags) and script-src-attr (for inline event handlers), which override the more liberal rules from script-src.
In case your integration tests crash with a message like below, try to upgrade Capybara to a newer version (3.35.3...
While renaming a file sometimes feels like "dropping its history", that is not true: Just use git log --follow on...