git --fixup is very handy to amend a change to a previous commit. You can then autosquash your commits with...
It is generally discouraged to load your JavaScript by a tag in the : The reason is that a tag will pause the DOM parser until the script has loaded and executed. This will delay the browser's first contentful paint. A much better default is to load your scripts with a tag: A deferred script has many...
Given you have a strict CSP that only allows elements from your own domain: Content-Security-Policy: script-src 'self' This will block JavaScript handlers inlined as attribute into your HTML elements. Clicking on the following link will only log an error with a strict CSP: click me click me Solution 1: Move the handler into your JavaScript The recommended solution is to move the handler from the HTML to the allowed JavaScript file that we loaded via . In the example above we could invent a new [data-alert] attribute with the alert message: click me Then our JavaScript intercepts clicks on elements with that attribute: document.addEventListener('click', function(event) { let link = event.target.closest('[data-alert]') if (link) { let message = link.dataset.alert alert(message) event.preventDefault() } }) Solution 2: Allow that one handler in your CSP Some browsers allow the CSP directive script-src-attr. This lets you allow the hashes of actual JavaScript code. The SHA256 hash of alert('hello') is vIsp2avtxDy0157AryO+jEJVpLdmka7PI7o7C4q5ABE= (in Base64). We can allow this one event handlers like this: Content-Security-Policy: script-src 'self'; script-src-attr 'unsafe-hashes' 'sha256-vIsp2avtxDy0157AryO+jEJVpLdmka7PI7o7C4q5ABE=' Note the sha256- prefix. This event handler now works when clicked: click me But any other script will still be blocked: click me Dealing with legacy browsers Currently (November 2023) about 75% of browsers support script-src-attr. Here is a forward-looking compromise that many users use with new CSP features: Have a liberal CSP with old directives supported by all browsers Make your CSP stricter with new, more specific directives for browsers that support it The CSP spec supports that approach in that using newer, more specific directives disable older, more general features. In our case this means: For old browsers, allow all inline scripts For new browsers, disallow inline scripts but allow inline handlers with given hashes Here is a CSP directive that works like this: Content-Security-Policy: script-src 'self' 'unsafe-inline'; script-src-elem 'self'; script-src-attr 'unsafe-hashes' 'sha256-vIsp2avtxDy0157AryO+jEJVpLdmka7PI7o7C4q5ABE=' Old browsers will only use script-src. New browsers will use script-src-elem (for tags) and script-src-attr (for inline event handlers), which override the more liberal rules from script-src.
In case your integration tests crash with a message like below, try to upgrade Capybara to a newer version (3.35.3...
While renaming a file sometimes feels like "dropping its history", that is not true: Just use git log --follow on...
Sometimes you want to load code on demand. For instance, when a a large library is only used on a...
It sometimes happen that a database dump, that would want to insert into your development database, does not match the...
When logging in Rails, you can use the log_tags configuration option to add extra information to each line, like...
Rails 5.2+ supports "verbose query logs" where it shows the source of a query in the application log.
When writing some logs to a file, that don't use Ruby's logger utility, it is often useful to...
"Open-source software (OSS) is great. Anyone can use virtually any open-source code in their projects." Well, it depends...
When an event listener on a DOM element throws an error, that error will be silenced and not interrupt your...
There is a reasonable simple way to move data between Redis servers: Simply temporarily configure the new server as a...
Speaker today is Henning Koch, Head of Development at makandra. This talk will be in German with English slides.
We use CarrierWave in many of our projects to store and serve files of various formats - mostly images. A common...
In case you want to use pry with an older version of Ruby, you can try the following configurations.
You can install rubygems 3.0.8 (released on February 18, 2020) to keep all the Gem::Specification#rubyforge_project deprecation warnings...
The linked GitHub repository is a bit like our "dev" cards deck, but groomed from a single person (Josh Branchaud...
Sometimes it's nice to have some coloring in your logs for better readability. You can output your logs via...
Browsers come with a set of built-in elements like or . When we need a new component not covered by...
This is a bookmarklet you can add to Chrome or Firefox which will allow you to create a story in...
When using Chrome for Selenium tests, the chromedriver binary will be used to control Chrome. To debug problems that stem...
The main benefit of our convention to prefix commits by their corresponding Pivotal Tracker ID is that we can easily...
Capistrano automatically logs each (successful) deployment into a file on your application servers. It is located at the root of...