RSpec is smart when using the include-matcher in combination with .not_to. One could assume that .not_to include...
Event delegation is a pattern where a container element has a single event listener that handles events for all descendants...
The tree command will show you the contents of a directory and all its sub directories as a tree:
Rails has the handy controller method send_file which lets us download files easily. We can decide whether the file...
Given you have a strict CSP that only allows elements from your own domain: Content-Security-Policy: script-src 'self' This will block JavaScript handlers inlined as attribute into your HTML elements. Clicking on the following link will only log an error with a strict CSP: click me click me Solution 1: Move the handler into your JavaScript The recommended solution is to move the handler from the HTML to the allowed JavaScript file that we loaded via . In the example above we could invent a new [data-alert] attribute with the alert message: click me Then our JavaScript intercepts clicks on elements with that attribute: document.addEventListener('click', function(event) { let link = event.target.closest('[data-alert]') if (link) { let message = link.dataset.alert alert(message) event.preventDefault() } }) Solution 2: Allow that one handler in your CSP Some browsers allow the CSP directive script-src-attr. This lets you allow the hashes of actual JavaScript code. The SHA256 hash of alert('hello') is vIsp2avtxDy0157AryO+jEJVpLdmka7PI7o7C4q5ABE= (in Base64). We can allow this one event handlers like this: Content-Security-Policy: script-src 'self'; script-src-attr 'unsafe-hashes' 'sha256-vIsp2avtxDy0157AryO+jEJVpLdmka7PI7o7C4q5ABE=' Note the sha256- prefix. This event handler now works when clicked: click me But any other script will still be blocked: click me Dealing with legacy browsers Currently (November 2023) about 75% of browsers support script-src-attr. Here is a forward-looking compromise that many users use with new CSP features: Have a liberal CSP with old directives supported by all browsers Make your CSP stricter with new, more specific directives for browsers that support it The CSP spec supports that approach in that using newer, more specific directives disable older, more general features. In our case this means: For old browsers, allow all inline scripts For new browsers, disallow inline scripts but allow inline handlers with given hashes Here is a CSP directive that works like this: Content-Security-Policy: script-src 'self' 'unsafe-inline'; script-src-elem 'self'; script-src-attr 'unsafe-hashes' 'sha256-vIsp2avtxDy0157AryO+jEJVpLdmka7PI7o7C4q5ABE=' Old browsers will only use script-src. New browsers will use script-src-elem (for tags) and script-src-attr (for inline event handlers), which override the more liberal rules from script-src.
We had a card that described how to install multiple mysql versions using mysql-sandbox. Nowadays with the wide adoption...
Our gem spreewald supports a few helpers for development. In case you notice errors in your Cucumber tests, you might...
You can throttle the network in your headless chrome via Selenium. This might be useful for debugging issues with flaky...
Accessing other repositories in Gitlab CI is not straight forward, since the access rights of the current pipeline might not...
Capybara added a deprecation warning in version 3.35.3 (version from 2019) that shows up if your selector is not of...
When giving a presentation where you do some coding, the font size you usually use is probably a bit too...
Table of content for the linked article: 1. The `loading=lazy` attribute 2. Email, call, and SMS links
We have observed Lenovo laptops with nvidia graphics losing performance after they have been in use for a few minutes...
Installing gems on a server that has no access to the internet (especially rubygems.org) requires to bundle the gems into...
To attach files to your records, you will need a new database column representing the filename of the file...
Ruby 3.0 introduced a breaking change in how it treats keyword arguments. There is an excellent blog post on the...
When you have a hex color code, you can easily convert it into its RGB values using plain Ruby.
The linked article shows that there are unclear parts in the JSON specification and that different parsers treat them differently...
ZSH is an alternative command line shell that includes some features like spelling correction, cd automation, better theme, and plugin...
By default parallel_tests will spawn as many test processes as you have CPUs. If you have issues with flaky...
CarrierWave comes with a set of default configuration options which make sense in most cases. However, you should review these...
Sometimes you want to have a time in a given timezone independent from you Rails timezone settings / system timezone. I...
When you repeat a subpattern with a *, + or {...} operator, you may choose between greedy, lazy and possessive modes. Switching modes...
Recently I made an upgrade from Bootstrap 3 to Bootstrap 4 in a bigger project. Here are some tips how...