RSpec is smart when using the include-matcher in combination with .not_to. One could assume that .not_to include...
Besides their default styling properties, HTML elements have a semantic meaning. For example, an h1 tag is usually styled with...
The RSpec matcher tests if two HTML fragments are equivalent. Equivalency means: Whitespace is ignored Types of attribute quotes are...
Given you have a strict CSP that only allows elements from your own domain: Content-Security-Policy: script-src 'self' This will block JavaScript handlers inlined as attribute into your HTML elements. Clicking on the following link will only log an error with a strict CSP: click me click me Solution 1: Move the handler into your JavaScript The recommended solution is to move the handler from the HTML to the allowed JavaScript file that we loaded via . In the example above we could invent a new [data-alert] attribute with the alert message: click me Then our JavaScript intercepts clicks on elements with that attribute: document.addEventListener('click', function(event) { let link = event.target.closest('[data-alert]') if (link) { let message = link.dataset.alert alert(message) event.preventDefault() } }) Solution 2: Allow that one handler in your CSP Some browsers allow the CSP directive script-src-attr. This lets you allow the hashes of actual JavaScript code. The SHA256 hash of alert('hello') is vIsp2avtxDy0157AryO+jEJVpLdmka7PI7o7C4q5ABE= (in Base64). We can allow this one event handlers like this: Content-Security-Policy: script-src 'self'; script-src-attr 'unsafe-hashes' 'sha256-vIsp2avtxDy0157AryO+jEJVpLdmka7PI7o7C4q5ABE=' Note the sha256- prefix. This event handler now works when clicked: click me But any other script will still be blocked: click me Dealing with legacy browsers Currently (November 2023) about 75% of browsers support script-src-attr. Here is a forward-looking compromise that many users use with new CSP features: Have a liberal CSP with old directives supported by all browsers Make your CSP stricter with new, more specific directives for browsers that support it The CSP spec supports that approach in that using newer, more specific directives disable older, more general features. In our case this means: For old browsers, allow all inline scripts For new browsers, disallow inline scripts but allow inline handlers with given hashes Here is a CSP directive that works like this: Content-Security-Policy: script-src 'self' 'unsafe-inline'; script-src-elem 'self'; script-src-attr 'unsafe-hashes' 'sha256-vIsp2avtxDy0157AryO+jEJVpLdmka7PI7o7C4q5ABE=' Old browsers will only use script-src. New browsers will use script-src-elem (for tags) and script-src-attr (for inline event handlers), which override the more liberal rules from script-src.
If you have a flaky command you can use the nick-invision/retry to re-try a failing command, optionally...
Accessing other repositories in Gitlab CI is not straight forward, since the access rights of the current pipeline might not...
We recently noticed issues with Chrome 75+ when having the w3c option enabled within the Selenium webdriver. It looks like...
rspec >= 3.1 brings a method and_wrap_original. It seems a bit complicated at first, but there are use cases...
When dealing with external data sources, you may have to deal with improperly encoded strings. While you should prefer deciding...
Webpack builds can take a long time, so we only want to compile when needed. This card shows what will...
The ActionDispatch module of Rails gives you the helper method flash to access the flash messages in a response.
We had the issue, that a VCR spec failed, after updating CarrierWave from version 0.11.0 to 1.3.2. In this version...
tl;dr: Upgrade the gem to at least 4.0.1 When you use rspec_rails in a version < 4 with Rails...
Headless Chrome is a way to run the Chrome browser without a visible window. Configuring Capybara Configure the Capybara driver...
Git diffs show the surrounding contexts for diff hunks. It does so by applying regular expressions to find the beginning...
"Open-source software (OSS) is great. Anyone can use virtually any open-source code in their projects." Well, it depends...
# Basic HTML example # Javascript API (notable methods and properties) video = document.querySelector('video') video.play() video.pause() video.load() // Reset to the beginning and...
In a web application you sometimes have tasks that can not be processed during a request but need to go...
betterspecs.org is a documentation on how to write better RSpec tests. Note that there are also other approaches like The...
With Rspec you can mock objects or functions, for example like this: expect(my_object).to receive(:my_function).and...
This seems to be obvious, but you can expect Rake tasks to be called in RSpec. it 'deletes all Users...
The linked GitHub repository is a bit like our "dev" cards deck, but groomed from a single person (Josh Branchaud...
Simplecov is a code coverage tool. This helps you to find out which parts of your application are not tested...
Debugging image color profiles is hard. You can't trust your eyes in this matter, as the image rendering depends...