SameSite cookies

SameSite Cookie 允许服务器要求某个cookie在跨站请求时不会被发送,从而可以阻止跨站请求伪造攻击(CSRF)。

SameSite可以有下面三种值:

None
The browser will send cookies with both cross-site requests and same-site requests.

Strict
The browser will only send cookies for same-site requests (requests originating from the site that set the cookie). If the request originated from a different URL than the URL of the current location, none of the cookies tagged with the Strict attribute will be included.

Lax
Same-site cookies are withheld on cross-site subrequests, such as calls to load images or frames, but will be sent when a user navigates to the URL from an external site; for example, by following a link.


虽说是为了保护隐私,避免 CSRF 攻击。但是做不到无缝升级,很多开发者不会愿意主动适配吧。
未主动设置,就“几乎等同于”设置为 SameSite=Lax —— Chrome 有个临时方案,对于顶级导航时的非幂等请求,允许携带2分钟内设置或有效期不超过2分钟的Cookie。
设置为 SameSite=None 时必须搭配 Secure 使用,还要处理因规范变更造成的浏览器兼容问题——Chrome 51-66 / UC 12.13.2 / MacOS 10.14 / iOS 12。

参考资料:
SameSite Cookies
SameSite cookies explained
SameSite cookie recipes
Intent to Implement and Ship: Cookies with SameSite by default
SameSite Updates
SameSite=None: Known Incompatible Clients
Cookies default to SameSite=Lax
Reject insecure SameSite=None cookies

HTMLInputElement checkbox indeterminate

Properties that apply only to elements of type checkbox or radio
checked Boolean: Returns / Sets the current state of the element when type is checkbox or radio.
defaultChecked Boolean: Returns / Sets the default state of a radio button or checkbox as originally specified in HTML that created this object.
indeterminate Boolean: Returns whether the checkbox or radio button is in indeterminate state. For checkboxes, the effect is that the appearance of the checkbox is obscured/greyed in some way as to indicate its state is indeterminate (not checked but not unchecked). Does not affect the value of the checked attribute, and clicking the checkbox will set the value to false.

gitlab 中的各种 token

Private Tokens
https://gitlab.com/gitlab-org/gitlab-ce/blob/10-2-stable/CHANGELOG.md#security-4-changes-1
GitLab 10.2 移除。每个账号可配置一个。

Personal Access Tokens
https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html
GitLab 8.8 支持。每个账号可配置多个。

Impersonation Tokens
https://docs.gitlab.com/ee/api/README.html#impersonation-tokens
GitLab 9.0 支持。由管理员为特定账号生成的 Personal access tokens

Deploy Tokens
https://docs.gitlab.com/ee/user/project/deploy_tokens/
GitLab 10.7 支持。每个仓库可配置多个,使用方式类似用户名和密码。
git clone http://:@gitlab.example.com/tanuki/awesome_project.git

Deploy Keys
https://docs.gitlab.com/ee/ssh/README.html#deploy-keys
每个仓库可配置多个,使用方式类似于SSH公钥。

CI Job Token
https://docs.gitlab.com/ee/user/project/new_ci_build_permissions_model.html#job-token
GitLab 8.12 支持。每个 Job 可配置一个,使用方式类似用户名和密码。
git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.com//.git

CI Runner Token
https://docs.gitlab.com/ee/user/project/new_ci_build_permissions_model.html#before-gitlab-812
https://gitlab.com/gitlab-org/gitlab-ce/issues/22484#note_15913305
GitLab 8.12 之前。每个仓库可配置一个,使用方式类似用户名和密码。
https://gitlab-ci-token:/gitlab.com/gitlab-org/gitlab-ce.git

在 CentOS 7 搭建 gitlab-ce

一、配置 gitlab 的 yum 源

二、安装依赖,并在系统防火墙进行 HTTP 和 SSH 配置

三、配置邮件通知(可选)

四、添加 gitlab 包仓储

五、安装 gitlab

参考:
https://about.gitlab.com/install/#centos-7
https://www.cnblogs.com/weifeng1463/p/7714492.html

Rendering on the Web

Terminology

Rendering

  • SSR: Server-Side Rendering – rendering a client-side or universal app to HTML on the server.
  • CSR: Client-Side Rendering – rendering an app in a browser, generally using the DOM.
  • Rehydration: “booting up” JavaScript views on the client such that they reuse the server-rendered HTML’s DOM tree and data.
  • Prerendering: running a client-side application at build time to capture its initial state as static HTML.

Performance

  • TTFB: Time to First Byte – seen as the time between clicking a link and the first bit of content coming in.
  • FP: First Paint – the first time any pixel gets becomes visible to the user.
  • FCP: First Contentful Paint – the time when requested content (article body, etc) becomes visible.
  • TTI: Time To Interactive – the time at which a page becomes interactive (events wired up, etc).

参考:
Rendering on the Web