For JavaScript, put "use strict"; at the top of every file, end lines
- with semicolons (since automatic insertion is poorly designed) and always use
- const to declare variables, unless they are reassigned in which case they
- should be declared with let but never use var as it is
- effectively broken. Try to prefer loops with for..of.
For JavaScript, all code should be contained within ES6 modules. This means every
+ script element should use type="module". Modules provide proper
+ namespacing with explicit imports and exports. Modules automatically use strict mode,
+ so "use strict"; is no longer needed. By default, modules are also
+ deferred until after the DOM is ready, i.e. they have an implicit defer
+ attribute. This should be relied upon rather than unnecessarily listening for an event
+ to determine if the DOM is ready for use. It can make sense to use async
+ to run the code earlier if the JavaScript is essential to the content and benefits
+ from being able to start tasks before the DOM is ready, such as retrieving important
+ content or checking if there's a login session. Always end lines with semicolons
+ (since automatic insertion is poorly designed) and always use const to
+ declare variables, unless they are reassigned in which case they should be declared
+ with let but never use var as it is effectively broken. Try
+ to prefer loops with for..of. JavaScript must pass verification with
+ jshint using the following .jslintrc configuration:
{
+ "browser": true,
+ "module": true,
+ "devel": true,
+ "esversion": 6,
+ "strict": "global"
+}
+
+ Cookies are only used for login sessions. The only other use case considered valid
+ would be optimizing HTTP/2 Server Push but the intention is only to use that for
+ render blocking CSS and it's not really worth optimizing for caching when the CSS is
+ tiny in practice. Every cookie must have the __Host prefix to guarantee
+ that it has the Secure attribute and Path=/. The
+ HttpOnly and SameSite=Strict flags should also always be
+ included. These kinds of cookies can provide secure login sessions in browsers with
+ fully working SameSite=Strict support. However, CSRF tokens should still
+ be used for the near future in case there are browser issues.
For web content, use dashes as user-facing word separators rather than underscores. Page titles should follow the scheme "Page | Directory | Higher-level directory | Site" for usability with a traditional title as the Open Graph title.
+HTML must pass verification with validatornu and xmllint.
+ Ensuring that it parses as XML with xmllint catches many common mistakes
+ and typos that are missed by HTML validation due to the ridiculously permissive nature
+ of HTML. This enforces closing every tag, using proper escaping and so on. XHTML does
+ not really exist anymore and we simply use XML parsing as an enforced coding standard
+ and lint pass. It can also be useful to make it compatible with XML-based tooling.
Avoid designing around class inheritance unless it's a rare case where it's an extremely good fit or the language sucks (Java) and it's the least bad approach, but still try to avoid it.