When you load a with a nonce, that script can await import() additional sources from any hostname. The nonce is propagated automatically for the one purpose of importing more scripts. This is not related to strict-dynamic, which propagates nonces for any propose not limited to imports (e.g. inserting elements). Example We have a restrictive CSP that only allows nonces: Content-Security-Policy: default-src 'none'; script-src 'nonce-secret123' Our HTML loads script.js using that nonce: Our script.js imports other.js without a nonce: let other = await import('other.js') console.log("Look, script.js has imported %o", other) The import succeeds without a nonce, due to implicit nonce propagation. Why this is useful In modern build pipelines, code splitting (chunking) is implemented using dynamic imports. Nonce propagation allows us to use automatic chunking with restrictive, nonce-based CSPs without using strict-dynamic. E.g. esbuild automatically groups dynamically imported modules into chunks, and writes that chunk to disk. The compiled build has an await import('assets/chunk-NAXSMFJV.js'). There's no way to inject a nonce into that import(), but implicit nonce propagation still allows the request. Should I worry about this? It would require some truly strange code for user input to make it into an import() argument. I wouldn't lose sleep over this. Is this a browser bug? It is by design. Here are some sources: HTML Spec Section 8 (Web Application APIs) (search for "descendant script fetch options") Chromium test ensuring none propagation Firefox bug implementing nonce propagation CSP issue: Someone concerned about propagation being a vulnerability CSP issue: Proposal for import-src that went nowhere Are other CSP sources also propagated? No, only nonces. In particular host-based CSPs do not propagate trust. For example, you only allow scripts from our own host (no nonces): Content-Security-Policy: default-src 'none'; script-src 'self' Our HTML loads script.js from our own host: Our script.js imports other.js from a different host: let other = await import('https://other-host.com/other.js') This fails with a CSP violation: Executing inline script violates the following Content Security Policy directive 'script-src 'self''
Below is a strict, but still workable Content Security Policy for your Ruby on Rails project. Use this CSP if...
I use the Gemini web chat interface quite extensively. One thing that is tedious is giving it all the context...
Sometimes you have a maintenance script where you want to iterate over all ActiveRecord models. Rails provides this out of...
Follow the installation guidelines at https://mise.jdx.dev/getting-started.html. Remove rbenv configuration Search for rbenv config in .bashrc and...
Compatibility: Angular 20+ with Jasmine 5.x and Karma 6.x As a default Angular CLI auto-generates test bootstrap...
In Rails 8 the behavior of the rails db:migrate command has changed for fresh databases (see PR #52830).
If you run a Rails app that is using Turbo, you might observe that your integration tests are unstable depending...
Most of the time, when you are interested in any log output, you see the logs directly on your console...
Coverage reports are rarely useful if you run only small parts of your test suite. Just do not load SimpleCov...
Currently we often use geordi to run cucumber and rspec tests. Geordi takes care of installing a matching chromedriver for...
Frontend performance and user experience are orthogonal to feature development. If care is not taken, adding features usually degrades frontend...
When you repeat complex assertions in your tests multiple times, it might be a good idea to extract a custom...
We usually ship applications that self-host webfonts to comply with GDPR. Many popular web fonts are available as NPM...
Even if you don't make any beginner mistakes like N+1 queries or missing DB indices, some requests can...
The linked article shows how to configure omniauth-multi-provider to support multiple SAML identity providers for a single Rails...
Why Rails has multiple schema formats When you run migrations, Rails will write your current database schema into db/schema.rb. This...
ActiveStorage does not provide any built-in way of implementing authentication for the available DirectUpload endpoint in Rails. When using...
SVG files often contain redundant information, like editor metadata or hidden elements. When esbuild handles your static assets, you can...
PostgreSQL can cosplay as a full-text search engine. It doesn't have the features or fidelity of ElasticSearch or...
$ cat ~/.config/mimeapps.list # open Archives with FileRoller and not extract them immediately, wich is the new behaviour when clicking archives in...
In development, we store files using ActiveStorage's disk service. This means that stored files are served by your Rails...
Zeitwerk is the new autoloader of Rails. It is mandatory starting with Rails 7.0. Sometimes, a model needs to know...
Slow test suites are a major pain point in projects, often due to RSpec and FactoryBot. Although minitest and fixtures...