It is generally discouraged to load your JavaScript by a tag in the : The reason is that a tag will pause the DOM parser until the script has loaded and executed. This will delay the browser's first contentful paint. A much better default is to load your scripts with a tag: A deferred script has many...
The attached compiler() function below applies JavaScript behavior to matching HTML elements as they enter the DOM. This works like...
Given you have a strict CSP that only allows elements from your own domain: Content-Security-Policy: script-src 'self' This will block JavaScript handlers inlined as attribute into your HTML elements. Clicking on the following link will only log an error with a strict CSP: click me click me Solution 1: Move the handler into your JavaScript The recommended solution is to move the handler from the HTML to the allowed JavaScript file that we loaded via . In the example above we could invent a new [data-alert] attribute with the alert message: click me Then our JavaScript intercepts clicks on elements with that attribute: document.addEventListener('click', function(event) { let link = event.target.closest('[data-alert]') if (link) { let message = link.dataset.alert alert(message) event.preventDefault() } }) Solution 2: Allow that one handler in your CSP Some browsers allow the CSP directive script-src-attr. This lets you allow the hashes of actual JavaScript code. The SHA256 hash of alert('hello') is vIsp2avtxDy0157AryO+jEJVpLdmka7PI7o7C4q5ABE= (in Base64). We can allow this one event handlers like this: Content-Security-Policy: script-src 'self'; script-src-attr 'unsafe-hashes' 'sha256-vIsp2avtxDy0157AryO+jEJVpLdmka7PI7o7C4q5ABE=' Note the sha256- prefix. This event handler now works when clicked: click me But any other script will still be blocked: click me Dealing with legacy browsers Currently (November 2023) about 75% of browsers support script-src-attr. Here is a forward-looking compromise that many users use with new CSP features: Have a liberal CSP with old directives supported by all browsers Make your CSP stricter with new, more specific directives for browsers that support it The CSP spec supports that approach in that using newer, more specific directives disable older, more general features. In our case this means: For old browsers, allow all inline scripts For new browsers, disallow inline scripts but allow inline handlers with given hashes Here is a CSP directive that works like this: Content-Security-Policy: script-src 'self' 'unsafe-inline'; script-src-elem 'self'; script-src-attr 'unsafe-hashes' 'sha256-vIsp2avtxDy0157AryO+jEJVpLdmka7PI7o7C4q5ABE=' Old browsers will only use script-src. New browsers will use script-src-elem (for tags) and script-src-attr (for inline event handlers), which override the more liberal rules from script-src.
Often people need links which are not linked directly, but should trigger execution of JavaScript. ❌ Bad workarounds
The need for clearfix hacks has been greatly reduced since we could layout with Flexbox or CSS Grid.
You can scale background images in CSS to the container size using background-size (Demo). Commonly, we use contain or...
When using custom properties in your stylesheets, you may want to set a specific property value to an existing variable...
After switching a project from Sprockets to Webpack, I started observing a bug that was hard to debug: Our...
The Node Version Manager allows installing multiple NodeJS versions and switching between them. By default, it does not automatically switch...
When testing JavaScript functionality in Selenium (E2E), you may need to access a class or function inside of a evaluate...
Table of content for the linked article: 1. The `loading=lazy` attribute 2. Email, call, and SMS links
In RubyMine folders can be excluded from search, navigation etc. by marking it as excluded. You might sometimes wish to...
If your Webpack build is slow, you can use the Speed Measure Plugin for Webpack to figure out where time...
Sometimes you want to load code on demand. For instance, when a a large library is only used on a...
Webpack builds can take a long time, so we only want to compile when needed. This card shows what will...
The attached article examines what the percent unit (%) is relative to in CSS The article does a great job of...
I use the TypeScript compiler for this, since its output is more minimal than Babel's. The following will transpile...
When you have a hex color code, you can easily convert it into its RGB values using plain Ruby.
When your Rails application server raises error, Capybara will fail your test when it clears the session after the last...
Browsers blocks abusable JavaScript API calls until the user has interacted with the document. Examples would be opening new tab...
By default parallel_tests will spawn as many test processes as you have CPUs. If you have issues with flaky...
Insomnia is a GUI tool to help you communicating with an API. There are also other tools to do this...
Recently I made an upgrade from Bootstrap 3 to Bootstrap 4 in a bigger project. Here are some tips how...
Rails 6 includes a WYSIWYG editor, Action Text. It works out of the box quite well, but chances are that...