When you load a with a nonce, that script can await import() additional sources from any hostname. The nonce is propagated automatically for the one purpose of importing more scripts. This is not related to strict-dynamic, which propagates nonces for any propose not limited to imports (e.g. inserting elements). Example We have a restrictive CSP that only allows nonces: Content-Security-Policy: default-src 'none'; script-src 'nonce-secret123' Our HTML loads script.js using that nonce: Our script.js imports other.js without a nonce: let other = await import('other.js') console.log("Look, script.js has imported %o", other) The import succeeds without a nonce, due to implicit nonce propagation. Why this is useful In modern build pipelines, code splitting (chunking) is implemented using dynamic imports. Nonce propagation allows us to use automatic chunking with restrictive, nonce-based CSPs without using strict-dynamic. E.g. esbuild automatically groups dynamically imported modules into chunks, and writes that chunk to disk. The compiled build has an await import('assets/chunk-NAXSMFJV.js'). There's no way to inject a nonce into that import(), but implicit nonce propagation still allows the request. Should I worry about this? It would require some truly strange code for user input to make it into an import() argument. I wouldn't lose sleep over this. Is this a browser bug? It is by design. Here are some sources: HTML Spec Section 8 (Web Application APIs) (search for "descendant script fetch options") Chromium test ensuring none propagation Firefox bug implementing nonce propagation CSP issue: Someone concerned about propagation being a vulnerability CSP issue: Proposal for import-src that went nowhere Are other CSP sources also propagated? No, only nonces. In particular host-based CSPs do not propagate trust. For example, you only allow scripts from our own host (no nonces): Content-Security-Policy: default-src 'none'; script-src 'self' Our HTML loads script.js from our own host: Our script.js imports other.js from a different host: let other = await import('https://other-host.com/other.js') This fails with a CSP violation: Executing inline script violates the following Content Security Policy directive 'script-src 'self''
Below is a strict, but still workable Content Security Policy for your Ruby on Rails project. Use this CSP if...
When working with file uploads, we sometimes need to process intrinsic properties like the page count or page dimensions of...
If you need to implement newsletter sending, rapidmail is a solid option. Support is very fast, friendly and helpful, and...
If you use the selenium-webdriver gem, it will sneakily phone home once every hour whenever you run a browser...
Most of our CI pipelines don't use the --retry flag for Cucumber and instead build their own retry via...
Finding changes When you're looking for a specific change in Git, there are multiple axes you can choose:
The File System Access API is a new capability of modern browsers that allows us to iterate over selected folders...
GoodJob and ActiveJob rescue exceptions internally, preventing exception_notification from triggering. This can cause silent job failures.To get notified, subscribe...
navigator.sendBeacon is a way to reliably send a POST request, even on unload. Please note, however, that there are generally...
If you run a Rails app that is using Turbo, you might observe that your integration tests are unstable depending...
GitLab has a RubyMine plugin that enables you to review and process merge requests within RubyMine! Setup Open RubyMine settings...
Even if you don't make any beginner mistakes like N+1 queries or missing DB indices, some requests can...
Use these snippets when you want to measure yourself. Currently available: Core Web Vitals Largest Contentful Paint (LCP) Largest Contentful...
You can check the maximum client Redis database size in Sidekiq with this command. Sidekiq.redis { |redis| puts redis.info.fetch('maxmemory_human...
Why Rails has multiple schema formats When you run migrations, Rails will write your current database schema into db/schema.rb. This...
DirectUpload allows you to upload files to your file storage without having to wait for the form to submit. It...
ActiveStorage does not provide any built-in way of implementing authentication for the available DirectUpload endpoint in Rails. When using...
SVG files often contain redundant information, like editor metadata or hidden elements. When esbuild handles your static assets, you can...
There are several ways to run a single spec. I usually copy the spec file path with the line number...
The key to unlocking the full potential of LLMs in coding lies in crafting precise prompts. The main challenge is...
Hint If you are using our opscomplete.com hosting we can set all environment variables mentioned below for your deployment on...
The new params.expect method in Rails 8 improves parameter filtering, addressing issues with malformed input and enhancing security. It provides...
Also see the list of IRB commands. Switching the context Changes the "default receiver" of expressions. Can be used to...