When you load a with a nonce, that script can await import() additional sources from any hostname. The nonce is propagated automatically for the one purpose of importing more scripts. This is not related to strict-dynamic, which propagates nonces for any propose not limited to imports (e.g. inserting elements). Example We have a restrictive CSP that only allows nonces: Content-Security-Policy: default-src 'none'; script-src 'nonce-secret123' Our HTML loads script.js using that nonce: Our script.js imports other.js without a nonce: let other = await import('other.js') console.log("Look, script.js has imported %o", other) The import succeeds without a nonce, due to implicit nonce propagation. Why this is useful In modern build pipelines, code splitting (chunking) is implemented using dynamic imports. Nonce propagation allows us to use automatic chunking with restrictive, nonce-based CSPs without using strict-dynamic. E.g. esbuild automatically groups dynamically imported modules into chunks, and writes that chunk to disk. The compiled build has an await import('assets/chunk-NAXSMFJV.js'). There's no way to inject a nonce into that import(), but implicit nonce propagation still allows the request. Should I worry about this? It would require some truly strange code for user input to make it into an import() argument. I wouldn't lose sleep over this. Is this a browser bug? It is by design. Here are some sources: HTML Spec Section 8 (Web Application APIs) (search for "descendant script fetch options") Chromium test ensuring none propagation Firefox bug implementing nonce propagation CSP issue: Someone concerned about propagation being a vulnerability CSP issue: Proposal for import-src that went nowhere Are other CSP sources also propagated? No, only nonces. In particular host-based CSPs do not propagate trust. For example, you only allow scripts from our own host (no nonces): Content-Security-Policy: default-src 'none'; script-src 'self' Our HTML loads script.js from our own host: Our script.js imports other.js from a different host: let other = await import('https://other-host.com/other.js') This fails with a CSP violation: Executing inline script violates the following Content Security Policy directive 'script-src 'self''
You may remember to use the || operator with caution to set defaults. We'll see that && and other conditionals come...
In rare circumstances, you want to use a websites full domain (say https://mywebsite.com) while testing in dev mode. This...
TypeScript basically uses structural typing, which is conceptually quite similar to duck typing, but with static compile-time type checking...
If your rubocop run fails with a stack like rubocop-1.61.0/lib/rubocop/server/socket_reader.rb:36:in `ensure in read!': undefined method `string...
Event listeners are called in the order of their registration: button.addEventListener('click', () => console.log("I run first")) button.addEventListener('click', () => console.log("I...
Short reference on how to quickly debug the vanilla Rails job adapters. Queue Adapters by Environment Environment Adapter
When you query the browser for DOM elements, there are some footguns you should know about. Some lists are synchronized...
The File System Access API is a new capability of modern browsers that allows us to iterate over selected folders...
Enable local logging for Sentry when: Debugging Sentry event capture locally Testing error handling without polluting production metrics Developing background...
To connect to the serial console of an EC2 instance, you can use the aws cli. Add your public ssh...
Quick reference for passing data from Rails to JavaScript via Unpoly compilers. Haml Attribute Syntax # Ising hash rockets and string...
When RSpec sets out to print any given object to the console, it will never print more than 200 characters...
I had to modify the time for an application that I launch through Docker. Here is an approach that worked...
Most of the time, when you are interested in any log output, you see the logs directly on your console...
When RSpecs runs the first feature spec, you may see log output like this: Capybara starting Puma... * Version 6.5.0, codename...
In Rails 7.2 the new default for config.action_dispatch.show_exceptions is rescuable. :rescuable: It will show a Rails error page in...
Frontend performance and user experience are orthogonal to feature development. If care is not taken, adding features usually degrades frontend...
We usually ship applications that self-host webfonts to comply with GDPR. Many popular web fonts are available as NPM...
If you need dummy data to play around with in development, it's often faster to reuse your existing factories...
Important wkhtmltopdf is deprecated and shouldn't be used anymore. Please consider switching to another tool We can install wkhtmltopdf...
Orca is a Linux screen reader. Since it is part of the GNOME project it should come preinstalled with Ubuntu...
Why Rails has multiple schema formats When you run migrations, Rails will write your current database schema into db/schema.rb. This...
ActiveStorage does not provide any built-in way of implementing authentication for the available DirectUpload endpoint in Rails. When using...