diff --git a/core/audits/csp-xss.js b/core/audits/csp-xss.js
index 7e1a3d329c56..3bbdf4414fee 100644
--- a/core/audits/csp-xss.js
+++ b/core/audits/csp-xss.js
@@ -21,7 +21,7 @@ const UIStrings = {
/** Summary text for the results of a Lighthouse audit that evaluates the security of a page's CSP. This is displayed if no CSP is being enforced. "CSP" stands for "Content Security Policy". "CSP" does not need to be translated. */
noCsp: 'No CSP found in enforcement mode',
/** Message shown when one or more CSPs are defined in a tag. Shown in a table with a list of other CSP bypasses and warnings. "CSP" stands for "Content Security Policy". "CSP" and "HTTP" do not need to be translated. */
- metaTagMessage: 'The page contains a CSP defined in a tag. ' +
+ metaTagMessage: 'The page contains a CSP defined in a `` tag. ' +
'Consider moving the CSP to an HTTP header or ' +
'defining another strict CSP in an HTTP header.',
/** Label for a column in a data table; entries will be a directive of a CSP. "CSP" stands for "Content Security Policy". */
diff --git a/core/lib/csp-evaluator.js b/core/lib/csp-evaluator.js
index b3b7b4928d09..4f4bec138be5 100644
--- a/core/lib/csp-evaluator.js
+++ b/core/lib/csp-evaluator.js
@@ -19,31 +19,31 @@ import {isIcuMessage} from '../../shared/localization/format.js';
const UIStrings = {
/** Message shown when a CSP does not have a base-uri directive. Shown in a table with a list of other CSP vulnerabilities and suggestions. "CSP" stands for "Content Security Policy". "base-uri", "'none'", and "'self'" do not need to be translated. */
- missingBaseUri: 'Missing base-uri allows injected tags to set the base URL for all ' +
+ missingBaseUri: 'Missing `base-uri` allows injected `` tags to set the base URL for all ' +
'relative URLs (e.g. scripts) to an attacker controlled domain. ' +
- 'Consider setting base-uri to \'none\' or \'self\'.',
+ 'Consider setting `base-uri` to `\'none\'` or `\'self\'`.',
/** Message shown when a CSP does not have a script-src directive. Shown in a table with a list of other CSP vulnerabilities and suggestions. "CSP" stands for "Content Security Policy". "script-src" does not need to be translated. */
- missingScriptSrc: 'script-src directive is missing. ' +
+ missingScriptSrc: '`script-src` directive is missing. ' +
'This can allow the execution of unsafe scripts.',
/** Message shown when a CSP does not have a script-src directive. Shown in a table with a list of other CSP vulnerabilities and suggestions. "CSP" stands for "Content Security Policy". "object-src" and "'none'" do not need to be translated. */
- missingObjectSrc: 'Missing object-src allows the injection of plugins ' +
- 'that execute unsafe scripts. Consider setting object-src to \'none\' if you can.',
+ missingObjectSrc: 'Missing `object-src` allows the injection of plugins ' +
+ 'that execute unsafe scripts. Consider setting `object-src` to `\'none\'` if you can.',
/** Message shown when a CSP uses a domain allowlist to filter out malicious scripts. Shown in a table with a list of other CSP vulnerabilities and suggestions. "CSP" stands for "Content Security Policy". "CSP", "'strict-dynamic'", "nonces", and "hashes" do not need to be translated. "allowlists" can be interpreted as "whitelist". */
strictDynamic: 'Host allowlists can frequently be bypassed. Consider using ' +
- 'CSP nonces or hashes instead, along with \'strict-dynamic\' if necessary.',
+ 'CSP nonces or hashes instead, along with `\'strict-dynamic\'` if necessary.',
/** Message shown when a CSP allows inline scripts to be run in the page. Shown in a table with a list of other CSP vulnerabilities and suggestions. "CSP" stands for "Content Security Policy". "CSP", "'unsafe-inline'", "nonces", and "hashes" do not need to be translated. */
- unsafeInline: '\'unsafe-inline\' allows the execution of unsafe in-page scripts ' +
+ unsafeInline: '`\'unsafe-inline\'` allows the execution of unsafe in-page scripts ' +
'and event handlers. Consider using CSP nonces or hashes to allow scripts individually.',
/** Message shown when a CSP is not backwards compatible with browsers that do not support CSP nonces/hashes. Shown in a table with a list of other CSP vulnerabilities and suggestions. "CSP" stands for "Content Security Policy". "'unsafe-inline'", "nonces", and "hashes" do not need to be translated. */
- unsafeInlineFallback: 'Consider adding \'unsafe-inline\' (ignored by browsers supporting ' +
+ unsafeInlineFallback: 'Consider adding `\'unsafe-inline\'` (ignored by browsers supporting ' +
'nonces/hashes) to be backward compatible with older browsers.',
/** Message shown when a CSP is not backwards compatible with browsers that do not support the 'strict-dynamic' keyword. Shown in a table with a list of other CSP vulnerabilities and suggestions. "CSP" stands for "Content Security Policy". "http:", "https:", and "'strict-dynamic'" do not need to be translated. */
allowlistFallback: 'Consider adding https: and http: URL schemes (ignored by browsers ' +
- 'supporting \'strict-dynamic\') to be backward compatible with older browsers.',
+ 'supporting `\'strict-dynamic\'`) to be backward compatible with older browsers.',
/** Message shown when a CSP only provides a reporting destination through the report-to directive. Shown in a table with a list of other CSP vulnerabilities and suggestions. "CSP" stands for "Content Security Policy". "report-to", "report-uri", and "Chromium" do not need to be translated. */
reportToOnly: 'The reporting destination is only configured via the report-to directive. ' +
'This directive is only supported in Chromium-based browsers so it is ' +
- 'recommended to also use a report-uri directive.',
+ 'recommended to also use a `report-uri` directive.',
/** Message shown when a CSP does not provide a reporting destination. Shown in a table with a list of other CSP vulnerabilities and suggestions. "CSP" stands for "Content Security Policy". "CSP" does not need to be translated. */
reportingDestinationMissing: 'No CSP configures a reporting destination. ' +
'This makes it difficult to maintain the CSP over time and monitor for any breakages.',
@@ -65,13 +65,13 @@ const UIStrings = {
*/
unknownKeyword: '{keyword} seems to be an invalid keyword.',
/** Message shown when a CSP uses the deprecated reflected-xss directive. Shown in a table with a list of other CSP vulnerabilities and suggestions. "CSP" stands for "Content Security Policy". "reflected-xss", "CSP2" and "X-XSS-Protection" do not need to be translated. */
- deprecatedReflectedXSS: 'reflected-xss is deprecated since CSP2. ' +
+ deprecatedReflectedXSS: '`reflected-xss` is deprecated since CSP2. ' +
'Please, use the X-XSS-Protection header instead.',
/** Message shown when a CSP uses the deprecated referrer directive. Shown in a table with a list of other CSP vulnerabilities and suggestions. "CSP" stands for "Content Security Policy". "referrer", "CSP2" and "Referrer-Policy" do not need to be translated. */
- deprecatedReferrer: 'referrer is deprecated since CSP2. ' +
+ deprecatedReferrer: '`referrer` is deprecated since CSP2. ' +
'Please, use the Referrer-Policy header instead.',
/** Message shown when a CSP uses the deprecated disown-opener directive. Shown in a table with a list of other CSP vulnerabilities and suggestions. "CSP" stands for "Content Security Policy". "disown-opener", "CSP3" and "Cross-Origin-Opener-Policy" do not need to be translated. */
- deprecatedDisownOpener: 'disown-opener is deprecated since CSP3. ' +
+ deprecatedDisownOpener: '`disown-opener` is deprecated since CSP3. ' +
'Please, use the Cross-Origin-Opener-Policy header instead.',
/**
* @description Message shown when a CSP wildcard allows unsafe scripts to be run in the page. Shown in a table with a list of other CSP vulnerabilities and suggestions. "CSP" stands for "Content Security Policy".
diff --git a/core/test/audits/csp-xss-test.js b/core/test/audits/csp-xss-test.js
index 564ed6807b95..c1fc0b74eb2e 100644
--- a/core/test/audits/csp-xss-test.js
+++ b/core/test/audits/csp-xss-test.js
@@ -26,8 +26,8 @@ const STATIC_RESULTS = {
severity: SEVERITY.high,
description: {
formattedDefault:
- 'Missing object-src allows the injection of plugins that execute unsafe scripts. ' +
- 'Consider setting object-src to \'none\' if you can.',
+ 'Missing `object-src` allows the injection of plugins that execute unsafe scripts. ' +
+ 'Consider setting `object-src` to `\'none\'` if you can.',
},
directive: 'object-src',
},
@@ -35,9 +35,9 @@ const STATIC_RESULTS = {
severity: SEVERITY.high,
description: {
formattedDefault:
- 'Missing base-uri allows injected tags to set the base URL for all ' +
+ 'Missing `base-uri` allows injected `` tags to set the base URL for all ' +
'relative URLs (e.g. scripts) to an attacker controlled domain. ' +
- 'Consider setting base-uri to \'none\' or \'self\'.',
+ 'Consider setting `base-uri` to `\'none\'` or `\'self\'`.',
},
directive: 'base-uri',
},
@@ -45,7 +45,7 @@ const STATIC_RESULTS = {
severity: SEVERITY.medium,
description: {
formattedDefault:
- 'The page contains a CSP defined in a tag. ' +
+ 'The page contains a CSP defined in a `` tag. ' +
'Consider moving the CSP to an HTTP header or ' +
'defining another strict CSP in an HTTP header.',
},
@@ -55,7 +55,7 @@ const STATIC_RESULTS = {
severity: SEVERITY.medium,
description: {
formattedDefault:
- 'Consider adding \'unsafe-inline\' (ignored by browsers supporting ' +
+ 'Consider adding `\'unsafe-inline\'` (ignored by browsers supporting ' +
'nonces/hashes) to be backward compatible with older browsers.',
},
directive: 'script-src',
diff --git a/core/test/lib/csp-evaluator-test.js b/core/test/lib/csp-evaluator-test.js
index 1d4662f27da7..3bd24a8574e9 100644
--- a/core/test/lib/csp-evaluator-test.js
+++ b/core/test/lib/csp-evaluator-test.js
@@ -43,7 +43,7 @@ describe('getTranslatedDescription', () => {
expect(translated).toHaveLength(1);
expect(isIcuMessage(translated[0])).toBeTruthy();
expect(translated[0]).toBeDisplayString(
- 'script-src directive is missing. This can allow the execution of unsafe scripts.'
+ '`script-src` directive is missing. This can allow the execution of unsafe scripts.'
);
});
@@ -55,8 +55,8 @@ describe('getTranslatedDescription', () => {
expect(translated).toHaveLength(1);
expect(isIcuMessage(translated[0])).toBeTruthy();
expect(translated[0]).toBeDisplayString(
- 'Missing object-src allows the injection of plugins that execute unsafe scripts. ' +
- 'Consider setting object-src to \'none\' if you can.'
+ 'Missing `object-src` allows the injection of plugins that execute unsafe scripts. ' +
+ 'Consider setting `object-src` to `\'none\'` if you can.'
);
});
@@ -68,9 +68,9 @@ describe('getTranslatedDescription', () => {
expect(translated).toHaveLength(1);
expect(isIcuMessage(translated[0])).toBeTruthy();
expect(translated[0]).toBeDisplayString(
- 'Missing base-uri allows injected tags to set the base URL for all ' +
+ 'Missing `base-uri` allows injected `` tags to set the base URL for all ' +
'relative URLs (e.g. scripts) to an attacker controlled domain. ' +
- 'Consider setting base-uri to \'none\' or \'self\'.'
+ 'Consider setting `base-uri` to `\'none\'` or `\'self\'`.'
);
});
@@ -82,7 +82,7 @@ describe('getTranslatedDescription', () => {
expect(translated).toHaveLength(1);
expect(isIcuMessage(translated[0])).toBeTruthy();
expect(translated[0]).toBeDisplayString(
- '\'unsafe-inline\' allows the execution of unsafe in-page scripts ' +
+ '`\'unsafe-inline\'` allows the execution of unsafe in-page scripts ' +
'and event handlers. Consider using CSP nonces or hashes to allow scripts individually.'
);
});
@@ -124,7 +124,7 @@ describe('getTranslatedDescription', () => {
expect(isIcuMessage(translated[0])).toBeTruthy();
expect(translated[0]).toBeDisplayString(
'Host allowlists can frequently be bypassed. Consider using ' +
- 'CSP nonces or hashes instead, along with \'strict-dynamic\' if necessary.'
+ 'CSP nonces or hashes instead, along with `\'strict-dynamic\'` if necessary.'
);
});
@@ -137,7 +137,7 @@ describe('getTranslatedDescription', () => {
expect(isIcuMessage(translated[0])).toBeTruthy();
expect(translated[0]).toBeDisplayString(
'Consider adding https: and http: URL schemes (ignored by browsers ' +
- 'supporting \'strict-dynamic\') to be backward compatible with older browsers.'
+ 'supporting `\'strict-dynamic\'`) to be backward compatible with older browsers.'
);
});
@@ -149,7 +149,7 @@ describe('getTranslatedDescription', () => {
expect(translated).toHaveLength(1);
expect(isIcuMessage(translated[0])).toBeTruthy();
expect(translated[0]).toBeDisplayString(
- 'Consider adding \'unsafe-inline\' (ignored by browsers supporting ' +
+ 'Consider adding `\'unsafe-inline\'` (ignored by browsers supporting ' +
'nonces/hashes) to be backward compatible with older browsers.'
);
});
@@ -235,7 +235,7 @@ describe('getTranslatedDescription', () => {
expect(translated).toHaveLength(1);
expect(isIcuMessage(translated[0])).toBeTruthy();
expect(translated[0]).toBeDisplayString(
- 'reflected-xss is deprecated since CSP2. ' +
+ '`reflected-xss` is deprecated since CSP2. ' +
'Please, use the X-XSS-Protection header instead.'
);
});
@@ -250,7 +250,7 @@ describe('getTranslatedDescription', () => {
expect(translated).toHaveLength(1);
expect(isIcuMessage(translated[0])).toBeTruthy();
expect(translated[0]).toBeDisplayString(
- 'referrer is deprecated since CSP2. ' +
+ '`referrer` is deprecated since CSP2. ' +
'Please, use the Referrer-Policy header instead.'
);
});
@@ -265,7 +265,7 @@ describe('getTranslatedDescription', () => {
expect(translated).toHaveLength(1);
expect(isIcuMessage(translated[0])).toBeTruthy();
expect(translated[0]).toBeDisplayString(
- 'disown-opener is deprecated since CSP3. ' +
+ '`disown-opener` is deprecated since CSP3. ' +
'Please, use the Cross-Origin-Opener-Policy header instead.'
);
});
diff --git a/shared/localization/locales/en-US.json b/shared/localization/locales/en-US.json
index 0e87fb3aecce..a7b4eef57f4d 100644
--- a/shared/localization/locales/en-US.json
+++ b/shared/localization/locales/en-US.json
@@ -774,7 +774,7 @@
"message": "Syntax"
},
"core/audits/csp-xss.js | metaTagMessage": {
- "message": "The page contains a CSP defined in a tag. Consider moving the CSP to an HTTP header or defining another strict CSP in an HTTP header."
+ "message": "The page contains a CSP defined in a `` tag. Consider moving the CSP to an HTTP header or defining another strict CSP in an HTTP header."
},
"core/audits/csp-xss.js | noCsp": {
"message": "No CSP found in enforcement mode"
@@ -2211,25 +2211,25 @@
"message": "Pages that use WebXR are not currently eligible for back/forward cache."
},
"core/lib/csp-evaluator.js | allowlistFallback": {
- "message": "Consider adding https: and http: URL schemes (ignored by browsers supporting 'strict-dynamic') to be backward compatible with older browsers."
+ "message": "Consider adding https: and http: URL schemes (ignored by browsers supporting `'strict-dynamic'`) to be backward compatible with older browsers."
},
"core/lib/csp-evaluator.js | deprecatedDisownOpener": {
- "message": "disown-opener is deprecated since CSP3. Please, use the Cross-Origin-Opener-Policy header instead."
+ "message": "`disown-opener` is deprecated since CSP3. Please, use the Cross-Origin-Opener-Policy header instead."
},
"core/lib/csp-evaluator.js | deprecatedReferrer": {
- "message": "referrer is deprecated since CSP2. Please, use the Referrer-Policy header instead."
+ "message": "`referrer` is deprecated since CSP2. Please, use the Referrer-Policy header instead."
},
"core/lib/csp-evaluator.js | deprecatedReflectedXSS": {
- "message": "reflected-xss is deprecated since CSP2. Please, use the X-XSS-Protection header instead."
+ "message": "`reflected-xss` is deprecated since CSP2. Please, use the X-XSS-Protection header instead."
},
"core/lib/csp-evaluator.js | missingBaseUri": {
- "message": "Missing base-uri allows injected tags to set the base URL for all relative URLs (e.g. scripts) to an attacker controlled domain. Consider setting base-uri to 'none' or 'self'."
+ "message": "Missing `base-uri` allows injected `` tags to set the base URL for all relative URLs (e.g. scripts) to an attacker controlled domain. Consider setting `base-uri` to `'none'` or `'self'`."
},
"core/lib/csp-evaluator.js | missingObjectSrc": {
- "message": "Missing object-src allows the injection of plugins that execute unsafe scripts. Consider setting object-src to 'none' if you can."
+ "message": "Missing `object-src` allows the injection of plugins that execute unsafe scripts. Consider setting `object-src` to `'none'` if you can."
},
"core/lib/csp-evaluator.js | missingScriptSrc": {
- "message": "script-src directive is missing. This can allow the execution of unsafe scripts."
+ "message": "`script-src` directive is missing. This can allow the execution of unsafe scripts."
},
"core/lib/csp-evaluator.js | missingSemicolon": {
"message": "Did you forget the semicolon? {keyword} seems to be a directive, not a keyword."
@@ -2250,10 +2250,10 @@
"message": "No CSP configures a reporting destination. This makes it difficult to maintain the CSP over time and monitor for any breakages."
},
"core/lib/csp-evaluator.js | reportToOnly": {
- "message": "The reporting destination is only configured via the report-to directive. This directive is only supported in Chromium-based browsers so it is recommended to also use a report-uri directive."
+ "message": "The reporting destination is only configured via the report-to directive. This directive is only supported in Chromium-based browsers so it is recommended to also use a `report-uri` directive."
},
"core/lib/csp-evaluator.js | strictDynamic": {
- "message": "Host allowlists can frequently be bypassed. Consider using CSP nonces or hashes instead, along with 'strict-dynamic' if necessary."
+ "message": "Host allowlists can frequently be bypassed. Consider using CSP nonces or hashes instead, along with `'strict-dynamic'` if necessary."
},
"core/lib/csp-evaluator.js | unknownDirective": {
"message": "Unknown CSP directive."
@@ -2262,10 +2262,10 @@
"message": "{keyword} seems to be an invalid keyword."
},
"core/lib/csp-evaluator.js | unsafeInline": {
- "message": "'unsafe-inline' allows the execution of unsafe in-page scripts and event handlers. Consider using CSP nonces or hashes to allow scripts individually."
+ "message": "`'unsafe-inline'` allows the execution of unsafe in-page scripts and event handlers. Consider using CSP nonces or hashes to allow scripts individually."
},
"core/lib/csp-evaluator.js | unsafeInlineFallback": {
- "message": "Consider adding 'unsafe-inline' (ignored by browsers supporting nonces/hashes) to be backward compatible with older browsers."
+ "message": "Consider adding `'unsafe-inline'` (ignored by browsers supporting nonces/hashes) to be backward compatible with older browsers."
},
"core/lib/deprecation-description.js | feature": {
"message": "Check the feature status page for more details."
diff --git a/shared/localization/locales/en-XL.json b/shared/localization/locales/en-XL.json
index f6bedacd9b2e..471b32858ebc 100644
--- a/shared/localization/locales/en-XL.json
+++ b/shared/localization/locales/en-XL.json
@@ -774,7 +774,7 @@
"message": "Ŝýn̂t́âx́"
},
"core/audits/csp-xss.js | metaTagMessage": {
- "message": "T̂h́ê ṕâǵê ćôńt̂áîńŝ á ĈŚP̂ d́êf́îńêd́ îń â t́âǵ. Ĉón̂śîd́êŕ m̂óv̂ín̂ǵ t̂h́ê ĆŜṔ t̂ó âń ĤT́T̂Ṕ ĥéâd́êŕ ôŕ d̂éf̂ín̂ín̂ǵ âńôt́ĥér̂ śt̂ŕîćt̂ ĆŜṔ îń âń ĤT́T̂Ṕ ĥéâd́êŕ."
+ "message": "T̂h́ê ṕâǵê ćôńt̂áîńŝ á ĈŚP̂ d́êf́îńêd́ îń â `` t́âǵ. Ĉón̂śîd́êŕ m̂óv̂ín̂ǵ t̂h́ê ĆŜṔ t̂ó âń ĤT́T̂Ṕ ĥéâd́êŕ ôŕ d̂éf̂ín̂ín̂ǵ âńôt́ĥér̂ śt̂ŕîćt̂ ĆŜṔ îń âń ĤT́T̂Ṕ ĥéâd́êŕ."
},
"core/audits/csp-xss.js | noCsp": {
"message": "N̂ó ĈŚP̂ f́ôún̂d́ îń êńf̂ór̂ćêḿêńt̂ ḿôd́ê"
@@ -2211,25 +2211,25 @@
"message": "P̂áĝéŝ t́ĥát̂ úŝé Ŵéb̂X́R̂ ár̂é n̂ót̂ ćûŕr̂én̂t́l̂ý êĺîǵîb́l̂é f̂ór̂ b́âćk̂/f́ôŕŵár̂d́ ĉáĉh́ê."
},
"core/lib/csp-evaluator.js | allowlistFallback": {
- "message": "Ĉón̂śîd́êŕ âd́d̂ín̂ǵ ĥt́t̂ṕŝ: án̂d́ ĥt́t̂ṕ: ÛŔL̂ śĉh́êḿêś (îǵn̂ór̂éd̂ b́ŷ b́r̂óŵśêŕŝ śûṕp̂ór̂t́îńĝ 'śt̂ŕîćt̂-d́ŷńâḿîć') t̂ó b̂é b̂áĉḱŵár̂d́ ĉóm̂ṕât́îb́l̂é ŵít̂h́ ôĺd̂ér̂ b́r̂óŵśêŕŝ."
+ "message": "Ĉón̂śîd́êŕ âd́d̂ín̂ǵ ĥt́t̂ṕŝ: án̂d́ ĥt́t̂ṕ: ÛŔL̂ śĉh́êḿêś (îǵn̂ór̂éd̂ b́ŷ b́r̂óŵśêŕŝ śûṕp̂ór̂t́îńĝ `'strict-dynamic'`) t́ô b́ê b́âćk̂ẃâŕd̂ ćôḿp̂át̂íb̂ĺê ẃît́ĥ ól̂d́êŕ b̂ŕôẃŝér̂ś."
},
"core/lib/csp-evaluator.js | deprecatedDisownOpener": {
- "message": "d̂íŝóŵń-ôṕêńêŕ îś d̂ép̂ŕêćât́êd́ ŝín̂ćê ĆŜṔ3. P̂ĺêáŝé, ûśê t́ĥé Ĉŕôśŝ-Ór̂íĝín̂-Óp̂én̂ér̂-Ṕôĺîćŷ h́êád̂ér̂ ín̂śt̂éâd́."
+ "message": "`disown-opener` îś d̂ép̂ŕêćât́êd́ ŝín̂ćê ĆŜṔ3. P̂ĺêáŝé, ûśê t́ĥé Ĉŕôśŝ-Ór̂íĝín̂-Óp̂én̂ér̂-Ṕôĺîćŷ h́êád̂ér̂ ín̂śt̂éâd́."
},
"core/lib/csp-evaluator.js | deprecatedReferrer": {
- "message": "r̂éf̂ér̂ŕêŕ îś d̂ép̂ŕêćât́êd́ ŝín̂ćê ĆŜṔ2. P̂ĺêáŝé, ûśê t́ĥé R̂éf̂ér̂ŕêŕ-P̂ól̂íĉý ĥéâd́êŕ îńŝt́êád̂."
+ "message": "`referrer` îś d̂ép̂ŕêćât́êd́ ŝín̂ćê ĆŜṔ2. P̂ĺêáŝé, ûśê t́ĥé R̂éf̂ér̂ŕêŕ-P̂ól̂íĉý ĥéâd́êŕ îńŝt́êád̂."
},
"core/lib/csp-evaluator.js | deprecatedReflectedXSS": {
- "message": "r̂éf̂ĺêćt̂éd̂-x́ŝś îś d̂ép̂ŕêćât́êd́ ŝín̂ćê ĆŜṔ2. P̂ĺêáŝé, ûśê t́ĥé X̂-X́ŜŚ-P̂ŕôt́êćt̂íôń ĥéâd́êŕ îńŝt́êád̂."
+ "message": "`reflected-xss` îś d̂ép̂ŕêćât́êd́ ŝín̂ćê ĆŜṔ2. P̂ĺêáŝé, ûśê t́ĥé X̂-X́ŜŚ-P̂ŕôt́êćt̂íôń ĥéâd́êŕ îńŝt́êád̂."
},
"core/lib/csp-evaluator.js | missingBaseUri": {
- "message": "M̂íŝśîńĝ b́âśê-úr̂í âĺl̂óŵś îńĵéĉt́êd́ t̂áĝś t̂ó ŝét̂ t́ĥé b̂áŝé ÛŔL̂ f́ôŕ âĺl̂ ŕêĺât́îv́ê ÚR̂Ĺŝ (é.ĝ. śĉŕîṕt̂ś) t̂ó âń ât́t̂áĉḱêŕ ĉón̂t́r̂ól̂ĺêd́ d̂óm̂áîń. Ĉón̂śîd́êŕ ŝét̂t́îńĝ b́âśê-úr̂í t̂ó 'n̂ón̂é' ôŕ 'ŝél̂f́'."
+ "message": "M̂íŝśîńĝ `base-uri` ál̂ĺôẃŝ ín̂j́êćt̂éd̂ `` t́âǵŝ t́ô śêt́ t̂h́ê b́âśê ÚR̂Ĺ f̂ór̂ ál̂ĺ r̂él̂át̂ív̂é ÛŔL̂ś (ê.ǵ. ŝćr̂íp̂t́ŝ) t́ô án̂ át̂t́âćk̂ér̂ ćôńt̂ŕôĺl̂éd̂ d́ôḿâín̂. Ćôńŝíd̂ér̂ śêt́t̂ín̂ǵ `base-uri` t̂ó `'none'` ôŕ `'self'`."
},
"core/lib/csp-evaluator.js | missingObjectSrc": {
- "message": "M̂íŝśîńĝ ób̂j́êćt̂-śr̂ć âĺl̂óŵś t̂h́ê ín̂j́êćt̂íôń ôf́ p̂ĺûǵîńŝ t́ĥát̂ éx̂éĉút̂é ûńŝáf̂é ŝćr̂íp̂t́ŝ. Ćôńŝíd̂ér̂ śêt́t̂ín̂ǵ ôb́ĵéĉt́-ŝŕĉ t́ô 'ńôńê' íf̂ ýôú ĉán̂."
+ "message": "M̂íŝśîńĝ `object-src` ál̂ĺôẃŝ t́ĥé îńĵéĉt́îón̂ óf̂ ṕl̂úĝín̂ś t̂h́ât́ êx́êćût́ê ún̂śâf́ê śĉŕîṕt̂ś. Ĉón̂śîd́êŕ ŝét̂t́îńĝ `object-src` t́ô `'none'` íf̂ ýôú ĉán̂."
},
"core/lib/csp-evaluator.js | missingScriptSrc": {
- "message": "ŝćr̂íp̂t́-ŝŕĉ d́îŕêćt̂ív̂é îś m̂íŝśîńĝ. T́ĥíŝ ćâń âĺl̂óŵ t́ĥé êx́êćût́îón̂ óf̂ ún̂śâf́ê śĉŕîṕt̂ś."
+ "message": "`script-src` d̂ír̂éĉt́îv́ê íŝ ḿîśŝín̂ǵ. T̂h́îś ĉán̂ ál̂ĺôẃ t̂h́ê éx̂éĉút̂íôń ôf́ ûńŝáf̂é ŝćr̂íp̂t́ŝ."
},
"core/lib/csp-evaluator.js | missingSemicolon": {
"message": "D̂íd̂ ýôú f̂ór̂ǵêt́ t̂h́ê śêḿîćôĺôń? {keyword} ŝéêḿŝ t́ô b́ê á d̂ír̂éĉt́îv́ê, ńôt́ â ḱêýŵór̂d́."
@@ -2250,10 +2250,10 @@
"message": "N̂ó ĈŚP̂ ćôńf̂íĝúr̂éŝ á r̂ép̂ór̂t́îńĝ d́êśt̂ín̂át̂íôń. T̂h́îś m̂ák̂éŝ ít̂ d́îf́f̂íĉúl̂t́ t̂ó m̂áîńt̂áîń t̂h́ê ĆŜṔ ôv́êŕ t̂ím̂é âńd̂ ḿôńît́ôŕ f̂ór̂ án̂ý b̂ŕêák̂áĝéŝ."
},
"core/lib/csp-evaluator.js | reportToOnly": {
- "message": "T̂h́ê ŕêṕôŕt̂ín̂ǵ d̂éŝt́îńât́îón̂ íŝ ón̂ĺŷ ćôńf̂íĝúr̂éd̂ v́îá t̂h́ê ŕêṕôŕt̂-t́ô d́îŕêćt̂ív̂é. T̂h́îś d̂ír̂éĉt́îv́ê íŝ ón̂ĺŷ śûṕp̂ór̂t́êd́ îń Ĉh́r̂óm̂íûḿ-b̂áŝéd̂ b́r̂óŵśêŕŝ śô ít̂ íŝ ŕêćôḿm̂én̂d́êd́ t̂ó âĺŝó ûśê á r̂ép̂ór̂t́-ûŕî d́îŕêćt̂ív̂é."
+ "message": "T̂h́ê ŕêṕôŕt̂ín̂ǵ d̂éŝt́îńât́îón̂ íŝ ón̂ĺŷ ćôńf̂íĝúr̂éd̂ v́îá t̂h́ê ŕêṕôŕt̂-t́ô d́îŕêćt̂ív̂é. T̂h́îś d̂ír̂éĉt́îv́ê íŝ ón̂ĺŷ śûṕp̂ór̂t́êd́ îń Ĉh́r̂óm̂íûḿ-b̂áŝéd̂ b́r̂óŵśêŕŝ śô ít̂ íŝ ŕêćôḿm̂én̂d́êd́ t̂ó âĺŝó ûśê á `report-uri` d̂ír̂éĉt́îv́ê."
},
"core/lib/csp-evaluator.js | strictDynamic": {
- "message": "Ĥóŝt́ âĺl̂óŵĺîśt̂ś ĉán̂ f́r̂éq̂úêńt̂ĺŷ b́ê b́ŷṕâśŝéd̂. Ćôńŝíd̂ér̂ úŝín̂ǵ ĈŚP̂ ńôńĉéŝ ór̂ h́âśĥéŝ ín̂śt̂éâd́, âĺôńĝ ẃît́ĥ 'śt̂ŕîćt̂-d́ŷńâḿîć' îf́ n̂éĉéŝśâŕŷ."
+ "message": "Ĥóŝt́ âĺl̂óŵĺîśt̂ś ĉán̂ f́r̂éq̂úêńt̂ĺŷ b́ê b́ŷṕâśŝéd̂. Ćôńŝíd̂ér̂ úŝín̂ǵ ĈŚP̂ ńôńĉéŝ ór̂ h́âśĥéŝ ín̂śt̂éâd́, âĺôńĝ ẃît́ĥ `'strict-dynamic'` íf̂ ńêćêśŝár̂ý."
},
"core/lib/csp-evaluator.js | unknownDirective": {
"message": "Ûńk̂ńôẃn̂ ĆŜṔ d̂ír̂éĉt́îv́ê."
@@ -2262,10 +2262,10 @@
"message": "{keyword} ŝéêḿŝ t́ô b́ê án̂ ín̂v́âĺîd́ k̂éŷẃôŕd̂."
},
"core/lib/csp-evaluator.js | unsafeInline": {
- "message": "'ûńŝáf̂é-îńl̂ín̂é' âĺl̂óŵś t̂h́ê éx̂éĉút̂íôń ôf́ ûńŝáf̂é îń-p̂áĝé ŝćr̂íp̂t́ŝ án̂d́ êv́êńt̂ h́âńd̂ĺêŕŝ. Ćôńŝíd̂ér̂ úŝín̂ǵ ĈŚP̂ ńôńĉéŝ ór̂ h́âśĥéŝ t́ô ál̂ĺôẃ ŝćr̂íp̂t́ŝ ín̂d́îv́îd́ûál̂ĺŷ."
+ "message": "`'unsafe-inline'` âĺl̂óŵś t̂h́ê éx̂éĉút̂íôń ôf́ ûńŝáf̂é îń-p̂áĝé ŝćr̂íp̂t́ŝ án̂d́ êv́êńt̂ h́âńd̂ĺêŕŝ. Ćôńŝíd̂ér̂ úŝín̂ǵ ĈŚP̂ ńôńĉéŝ ór̂ h́âśĥéŝ t́ô ál̂ĺôẃ ŝćr̂íp̂t́ŝ ín̂d́îv́îd́ûál̂ĺŷ."
},
"core/lib/csp-evaluator.js | unsafeInlineFallback": {
- "message": "Ĉón̂śîd́êŕ âd́d̂ín̂ǵ 'ûńŝáf̂é-îńl̂ín̂é' (îǵn̂ór̂éd̂ b́ŷ b́r̂óŵśêŕŝ śûṕp̂ór̂t́îńĝ ńôńĉéŝ/h́âśĥéŝ) t́ô b́ê b́âćk̂ẃâŕd̂ ćôḿp̂át̂íb̂ĺê ẃît́ĥ ól̂d́êŕ b̂ŕôẃŝér̂ś."
+ "message": "Ĉón̂śîd́êŕ âd́d̂ín̂ǵ `'unsafe-inline'` (îǵn̂ór̂éd̂ b́ŷ b́r̂óŵśêŕŝ śûṕp̂ór̂t́îńĝ ńôńĉéŝ/h́âśĥéŝ) t́ô b́ê b́âćk̂ẃâŕd̂ ćôḿp̂át̂íb̂ĺê ẃît́ĥ ól̂d́êŕ b̂ŕôẃŝér̂ś."
},
"core/lib/deprecation-description.js | feature": {
"message": "Ĉh́êćk̂ t́ĥé f̂éât́ûŕê śt̂át̂úŝ ṕâǵê f́ôŕ m̂ór̂é d̂ét̂áîĺŝ."