Some users might use Adblock Plus or similar browser plugins to reduce the number of ads displayed. If you run...
...any cleanup yourself. Why? Understand this: before(:context) is run when the context/describe block begins, before(:context) is run outside of transactions, so data created here will bleed into other...
...live: true, host: '127.0.0.1' do watch(%r(^public/assets/esbuild_error_development\.txt$)) # Livereload + ESbuild is not the best combo # We want # - to reload CSS files without doing a full page reload
use Postgres' lower() function add an index on lower(email) Probably the best approach is to just convert emails (and usernames) to lowercase within Rails. Popular authentication libraries...
While debugging a SPF record I found spf-record.de to be very helpful. it lists all IPs that are covered by...
...to be performed around a deploy. Be it to notify operations about changed application behavior, be it to run a little oneline script after the deploy. Most database-related stuff...
Understand what Memoization is and when it can be useful. Understand the @variable ||= computation pattern. Learn how to use...
To allow HTTP 304 responses, Rails offers the fresh_when method for controllers. The most common way is to pass...
For string columns, MySQL indexes the left side of a string. That means an index can speed a like query...
Web technology is a broad field and you cannot be an expert in all aspects. However, it is useful to...
...record, :match_requests_on).except(:example_group) VCR.use_cassette(name, options) { example.call } end end Behaviour If a spec is not tagged with :vcr, VCR will complain about any attempted HTTP...
...request. This is the default behaviour. If you want to turn this off temporarily, e.g. to communicate with an actual API while writing a new spec, simply add the line...
Rails offers a way to prepend (or append) view paths for the current request. This way, you can make the...
Capybara will fail to find tags that are missing an href attribute. This will probably happen to you every now...
...API (notable methods and properties) video = document.querySelector('video') video.play() video.pause() video.load() // Reset to the beginning and select the best available source video.currentSrc // The selected source video.currentTime // The current playback time...
...using a multiple assignment for a Regex are named groups. Especially when your Regex becomes more complicates it is easier to understand and to process. Note: In case a string...
Rails is split into a large number of (sub-) frameworks. The most important and central of those are activesupport (extends...
We're always striving towards keeping our website's JavaScript as small as possible. If you're using webpack(er...
Array.wrap wraps argument in an array, unless it is array-like already. The behaviour is a bit saner than Array[...]. Array.wrap(nil) # => []
" foo bar \n \t boo".squish # => "foo bar boo" Time.current, Date.current, DateTime.current behaves like .now or .zone.now depending on whether a time zone is set
...lockfile carefully when submitting a commit. Note that the approach in this card works best, if you use yarn outdated or npm outdated together with yarn upgrade some_package or...
...more information about this issue. In Rails3+ you can also disable this annoyingly clever behavior. Why this is bad This has some develish implications for your deployment, because scopes written...
...t notice this during development. Let's say you have a model Note which belongs to an Author and has a string column category: class Note < ActiveRecord::Base
Given you have a strict CSP that only allows elements from your own domain: Content-Security-Policy: script-src 'self' This will block JavaScript handlers inlined as attribute into your HTML elements. Clicking on the following link will only log an error with a strict CSP: click me click me Solution 1: Move the handler into your JavaScript The recommended solution is to move the handler from the HTML to the allowed JavaScript file that we loaded via . In the example above we could invent a new [data-alert] attribute with the alert message: click me Then our JavaScript intercepts clicks on elements with that attribute: document.addEventListener('click', function(event) { let link = event.target.closest('[data-alert]') if (link) { let message = link.dataset.alert alert(message) event.preventDefault() } }) Solution 2: Allow that one handler in your CSP Some browsers allow the CSP directive script-src-attr. This lets you allow the hashes of actual JavaScript code. The SHA256 hash of alert('hello') is vIsp2avtxDy0157AryO+jEJVpLdmka7PI7o7C4q5ABE= (in Base64). We can allow this one event handlers like this: Content-Security-Policy: script-src 'self'; script-src-attr 'unsafe-hashes' 'sha256-vIsp2avtxDy0157AryO+jEJVpLdmka7PI7o7C4q5ABE=' Note the sha256- prefix. This event handler now works when clicked: click me But any other script will still be blocked: click me Dealing with legacy browsers Currently (November 2023) about 75% of browsers support script-src-attr. Here is a forward-looking compromise that many users use with new CSP features: Have a liberal CSP with old directives supported by all browsers Make your CSP stricter with new, more specific directives for browsers that support it The CSP spec supports that approach in that using newer, more specific directives disable older, more general features. In our case this means: For old browsers, allow all inline scripts For new browsers, disallow inline scripts but allow inline handlers with given hashes Here is a CSP directive that works like this: Content-Security-Policy: script-src 'self' 'unsafe-inline'; script-src-elem 'self'; script-src-attr 'unsafe-hashes' 'sha256-vIsp2avtxDy0157AryO+jEJVpLdmka7PI7o7C4q5ABE=' Old browsers will only use script-src. New browsers will use script-src-elem (for tags) and script-src-attr (for inline event handlers), which override the more liberal rules from script-src.
...API design, I thought it might be nice to write down a set of best practices. And poke fun at a couple widely-used APIs. Much of this may be...
In development, we store files using ActiveStorage's disk service. This means that stored files are served by your Rails...
...update cucumber Make sure you have a recent version of geordi (it doesn't belong in your Gemfile!): gem install geordi Check if you're using Transforms Transform is no...