We are using Spring in our tests for sequential test execution but not for parallel test execution. And Rails requires...
age is a simple, modern and secure file encryption tool, format, and Go library. It features small explicit keys, no...
Given you have a strict CSP that only allows elements from your own domain: Content-Security-Policy: script-src 'self' This will block JavaScript handlers inlined as attribute into your HTML elements. Clicking on the following link will only log an error with a strict CSP: click me click me Solution 1: Move the handler into your JavaScript The recommended solution is to move the handler from the HTML to the allowed JavaScript file that we loaded via . In the example above we could invent a new [data-alert] attribute with the alert message: click me Then our JavaScript intercepts clicks on elements with that attribute: document.addEventListener('click', function(event) { let link = event.target.closest('[data-alert]') if (link) { let message = link.dataset.alert alert(message) event.preventDefault() } }) Solution 2: Allow that one handler in your CSP Some browsers allow the CSP directive script-src-attr. This lets you allow the hashes of actual JavaScript code. The SHA256 hash of alert('hello') is vIsp2avtxDy0157AryO+jEJVpLdmka7PI7o7C4q5ABE= (in Base64). We can allow this one event handlers like this: Content-Security-Policy: script-src 'self'; script-src-attr 'unsafe-hashes' 'sha256-vIsp2avtxDy0157AryO+jEJVpLdmka7PI7o7C4q5ABE=' Note the sha256- prefix. This event handler now works when clicked: click me But any other script will still be blocked: click me Dealing with legacy browsers Currently (November 2023) about 75% of browsers support script-src-attr. Here is a forward-looking compromise that many users use with new CSP features: Have a liberal CSP with old directives supported by all browsers Make your CSP stricter with new, more specific directives for browsers that support it The CSP spec supports that approach in that using newer, more specific directives disable older, more general features. In our case this means: For old browsers, allow all inline scripts For new browsers, disallow inline scripts but allow inline handlers with given hashes Here is a CSP directive that works like this: Content-Security-Policy: script-src 'self' 'unsafe-inline'; script-src-elem 'self'; script-src-attr 'unsafe-hashes' 'sha256-vIsp2avtxDy0157AryO+jEJVpLdmka7PI7o7C4q5ABE=' Old browsers will only use script-src. New browsers will use script-src-elem (for tags) and script-src-attr (for inline event handlers), which override the more liberal rules from script-src.
We had a card that described how to install multiple mysql versions using mysql-sandbox. Nowadays with the wide adoption...
Our gem spreewald supports a few helpers for development. In case you notice errors in your Cucumber tests, you might...
If you want to expand your Areca Raid by swapping out the disks for larger ones you will need to...
When using custom properties in your stylesheets, you may want to set a specific property value to an existing variable...
It seems like changing the HTTP_ACCEPT_LANGUAGE is not possible for a headless chrome. On Ubuntu the headless Chrome...
You can throttle the network in your headless chrome via Selenium. This might be useful for debugging issues with flaky...
An extensive list of command line options when booting Chrome. This is useful for building a Capybara driver with custom...
What is netfilter's Connection Tracking system? The connection tracking system often referenced as nf_conntrack is part of the...
If you have a flaky command you can use the nick-invision/retry to re-try a failing command, optionally...
In case your integration tests crash with a message like below, try to upgrade Capybara to a newer version (3.35.3...
Capybara added a deprecation warning in version 3.35.3 (version from 2019) that shows up if your selector is not of...
The Node Version Manager allows installing multiple NodeJS versions and switching between them. By default, it does not automatically switch...
6.0.0 2021-06-02 Compatible changes geordi commit will continue even if one of the given projects is inaccessible. It...
We recently noticed issues with Chrome 75+ when having the w3c option enabled within the Selenium webdriver. It looks like...
When testing JavaScript functionality in Selenium (E2E), you may need to access a class or function inside of a evaluate...
To attach files to your records, you will need a new database column representing the filename of the file...
We prefer to run our end-to-end tests with headless Chrome. While it's a very stable solution overall...
When your Rails application server raises error, Capybara will fail your test when it clears the session after the last...
Browsers blocks abusable JavaScript API calls until the user has interacted with the document. Examples would be opening new tab...
In Ruby (almost) everything is an Object. While this enables a lot of powerful features, this concept might be confusing...
capybara-lockstep can help you with flaky end-to-end tests: This Ruby gem synchronizes Capybara commands with client-side...