Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

core(csp): use monospace for technical terms in strings #15511

Merged
merged 4 commits into from
Oct 3, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion core/audits/csp-xss.js
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ const UIStrings = {
/** Summary text for the results of a Lighthouse audit that evaluates the security of a page's CSP. This is displayed if no CSP is being enforced. "CSP" stands for "Content Security Policy". "CSP" does not need to be translated. */
noCsp: 'No CSP found in enforcement mode',
/** Message shown when one or more CSPs are defined in a <meta> tag. Shown in a table with a list of other CSP bypasses and warnings. "CSP" stands for "Content Security Policy". "CSP" and "HTTP" do not need to be translated. */
metaTagMessage: 'The page contains a CSP defined in a <meta> tag. ' +
metaTagMessage: 'The page contains a CSP defined in a `<meta>` tag. ' +
'Consider moving the CSP to an HTTP header or ' +
'defining another strict CSP in an HTTP header.',
/** Label for a column in a data table; entries will be a directive of a CSP. "CSP" stands for "Content Security Policy". */
Expand Down
26 changes: 13 additions & 13 deletions core/lib/csp-evaluator.js
Original file line number Diff line number Diff line change
Expand Up @@ -19,31 +19,31 @@ import {isIcuMessage} from '../../shared/localization/format.js';

const UIStrings = {
/** Message shown when a CSP does not have a base-uri directive. Shown in a table with a list of other CSP vulnerabilities and suggestions. "CSP" stands for "Content Security Policy". "base-uri", "'none'", and "'self'" do not need to be translated. */
missingBaseUri: 'Missing base-uri allows injected <base> tags to set the base URL for all ' +
missingBaseUri: 'Missing `base-uri` allows injected `<base>` tags to set the base URL for all ' +
'relative URLs (e.g. scripts) to an attacker controlled domain. ' +
'Consider setting base-uri to \'none\' or \'self\'.',
connorjclark marked this conversation as resolved.
Show resolved Hide resolved
'Consider setting `base-uri` to `\'none\'` or `\'self\'`.',
/** Message shown when a CSP does not have a script-src directive. Shown in a table with a list of other CSP vulnerabilities and suggestions. "CSP" stands for "Content Security Policy". "script-src" does not need to be translated. */
missingScriptSrc: 'script-src directive is missing. ' +
missingScriptSrc: '`script-src` directive is missing. ' +
'This can allow the execution of unsafe scripts.',
/** Message shown when a CSP does not have a script-src directive. Shown in a table with a list of other CSP vulnerabilities and suggestions. "CSP" stands for "Content Security Policy". "object-src" and "'none'" do not need to be translated. */
missingObjectSrc: 'Missing object-src allows the injection of plugins ' +
'that execute unsafe scripts. Consider setting object-src to \'none\' if you can.',
missingObjectSrc: 'Missing `object-src` allows the injection of plugins ' +
'that execute unsafe scripts. Consider setting `object-src` to `\'none\'` if you can.',
/** Message shown when a CSP uses a domain allowlist to filter out malicious scripts. Shown in a table with a list of other CSP vulnerabilities and suggestions. "CSP" stands for "Content Security Policy". "CSP", "'strict-dynamic'", "nonces", and "hashes" do not need to be translated. "allowlists" can be interpreted as "whitelist". */
strictDynamic: 'Host allowlists can frequently be bypassed. Consider using ' +
'CSP nonces or hashes instead, along with \'strict-dynamic\' if necessary.',
connorjclark marked this conversation as resolved.
Show resolved Hide resolved
'CSP nonces or hashes instead, along with `\'strict-dynamic\'` if necessary.',
/** Message shown when a CSP allows inline scripts to be run in the page. Shown in a table with a list of other CSP vulnerabilities and suggestions. "CSP" stands for "Content Security Policy". "CSP", "'unsafe-inline'", "nonces", and "hashes" do not need to be translated. */
unsafeInline: '\'unsafe-inline\' allows the execution of unsafe in-page scripts ' +
connorjclark marked this conversation as resolved.
Show resolved Hide resolved
unsafeInline: '`\'unsafe-inline\'` allows the execution of unsafe in-page scripts ' +
'and event handlers. Consider using CSP nonces or hashes to allow scripts individually.',
/** Message shown when a CSP is not backwards compatible with browsers that do not support CSP nonces/hashes. Shown in a table with a list of other CSP vulnerabilities and suggestions. "CSP" stands for "Content Security Policy". "'unsafe-inline'", "nonces", and "hashes" do not need to be translated. */
unsafeInlineFallback: 'Consider adding \'unsafe-inline\' (ignored by browsers supporting ' +
connorjclark marked this conversation as resolved.
Show resolved Hide resolved
unsafeInlineFallback: 'Consider adding `\'unsafe-inline\'` (ignored by browsers supporting ' +
'nonces/hashes) to be backward compatible with older browsers.',
/** Message shown when a CSP is not backwards compatible with browsers that do not support the 'strict-dynamic' keyword. Shown in a table with a list of other CSP vulnerabilities and suggestions. "CSP" stands for "Content Security Policy". "http:", "https:", and "'strict-dynamic'" do not need to be translated. */
allowlistFallback: 'Consider adding https: and http: URL schemes (ignored by browsers ' +
'supporting \'strict-dynamic\') to be backward compatible with older browsers.',
connorjclark marked this conversation as resolved.
Show resolved Hide resolved
'supporting `\'strict-dynamic\'`) to be backward compatible with older browsers.',
/** Message shown when a CSP only provides a reporting destination through the report-to directive. Shown in a table with a list of other CSP vulnerabilities and suggestions. "CSP" stands for "Content Security Policy". "report-to", "report-uri", and "Chromium" do not need to be translated. */
reportToOnly: 'The reporting destination is only configured via the report-to directive. ' +
'This directive is only supported in Chromium-based browsers so it is ' +
'recommended to also use a report-uri directive.',
'recommended to also use a `report-uri` directive.',
/** Message shown when a CSP does not provide a reporting destination. Shown in a table with a list of other CSP vulnerabilities and suggestions. "CSP" stands for "Content Security Policy". "CSP" does not need to be translated. */
reportingDestinationMissing: 'No CSP configures a reporting destination. ' +
'This makes it difficult to maintain the CSP over time and monitor for any breakages.',
Expand All @@ -65,13 +65,13 @@ const UIStrings = {
*/
unknownKeyword: '{keyword} seems to be an invalid keyword.',
/** Message shown when a CSP uses the deprecated reflected-xss directive. Shown in a table with a list of other CSP vulnerabilities and suggestions. "CSP" stands for "Content Security Policy". "reflected-xss", "CSP2" and "X-XSS-Protection" do not need to be translated. */
deprecatedReflectedXSS: 'reflected-xss is deprecated since CSP2. ' +
deprecatedReflectedXSS: '`reflected-xss` is deprecated since CSP2. ' +
'Please, use the X-XSS-Protection header instead.',
/** Message shown when a CSP uses the deprecated referrer directive. Shown in a table with a list of other CSP vulnerabilities and suggestions. "CSP" stands for "Content Security Policy". "referrer", "CSP2" and "Referrer-Policy" do not need to be translated. */
deprecatedReferrer: 'referrer is deprecated since CSP2. ' +
deprecatedReferrer: '`referrer` is deprecated since CSP2. ' +
'Please, use the Referrer-Policy header instead.',
/** Message shown when a CSP uses the deprecated disown-opener directive. Shown in a table with a list of other CSP vulnerabilities and suggestions. "CSP" stands for "Content Security Policy". "disown-opener", "CSP3" and "Cross-Origin-Opener-Policy" do not need to be translated. */
deprecatedDisownOpener: 'disown-opener is deprecated since CSP3. ' +
deprecatedDisownOpener: '`disown-opener` is deprecated since CSP3. ' +
'Please, use the Cross-Origin-Opener-Policy header instead.',
/**
* @description Message shown when a CSP wildcard allows unsafe scripts to be run in the page. Shown in a table with a list of other CSP vulnerabilities and suggestions. "CSP" stands for "Content Security Policy".
Expand Down
12 changes: 6 additions & 6 deletions core/test/audits/csp-xss-test.js
Original file line number Diff line number Diff line change
Expand Up @@ -26,26 +26,26 @@ const STATIC_RESULTS = {
severity: SEVERITY.high,
description: {
formattedDefault:
'Missing object-src allows the injection of plugins that execute unsafe scripts. ' +
'Consider setting object-src to \'none\' if you can.',
'Missing `object-src` allows the injection of plugins that execute unsafe scripts. ' +
'Consider setting `object-src` to `\'none\'` if you can.',
},
directive: 'object-src',
},
noBaseUri: {
severity: SEVERITY.high,
description: {
formattedDefault:
'Missing base-uri allows injected <base> tags to set the base URL for all ' +
'Missing `base-uri` allows injected `<base>` tags to set the base URL for all ' +
'relative URLs (e.g. scripts) to an attacker controlled domain. ' +
'Consider setting base-uri to \'none\' or \'self\'.',
'Consider setting `base-uri` to `\'none\'` or `\'self\'`.',
},
directive: 'base-uri',
},
metaTag: {
severity: SEVERITY.medium,
description: {
formattedDefault:
'The page contains a CSP defined in a <meta> tag. ' +
'The page contains a CSP defined in a `<meta>` tag. ' +
'Consider moving the CSP to an HTTP header or ' +
'defining another strict CSP in an HTTP header.',
},
Expand All @@ -55,7 +55,7 @@ const STATIC_RESULTS = {
severity: SEVERITY.medium,
description: {
formattedDefault:
'Consider adding \'unsafe-inline\' (ignored by browsers supporting ' +
'Consider adding `\'unsafe-inline\'` (ignored by browsers supporting ' +
'nonces/hashes) to be backward compatible with older browsers.',
},
directive: 'script-src',
Expand Down
24 changes: 12 additions & 12 deletions core/test/lib/csp-evaluator-test.js
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ describe('getTranslatedDescription', () => {
expect(translated).toHaveLength(1);
expect(isIcuMessage(translated[0])).toBeTruthy();
expect(translated[0]).toBeDisplayString(
'script-src directive is missing. This can allow the execution of unsafe scripts.'
'`script-src` directive is missing. This can allow the execution of unsafe scripts.'
);
});

Expand All @@ -55,8 +55,8 @@ describe('getTranslatedDescription', () => {
expect(translated).toHaveLength(1);
expect(isIcuMessage(translated[0])).toBeTruthy();
expect(translated[0]).toBeDisplayString(
'Missing object-src allows the injection of plugins that execute unsafe scripts. ' +
'Consider setting object-src to \'none\' if you can.'
'Missing `object-src` allows the injection of plugins that execute unsafe scripts. ' +
'Consider setting `object-src` to `\'none\'` if you can.'
);
});

Expand All @@ -68,9 +68,9 @@ describe('getTranslatedDescription', () => {
expect(translated).toHaveLength(1);
expect(isIcuMessage(translated[0])).toBeTruthy();
expect(translated[0]).toBeDisplayString(
'Missing base-uri allows injected <base> tags to set the base URL for all ' +
'Missing `base-uri` allows injected `<base>` tags to set the base URL for all ' +
'relative URLs (e.g. scripts) to an attacker controlled domain. ' +
'Consider setting base-uri to \'none\' or \'self\'.'
'Consider setting `base-uri` to `\'none\'` or `\'self\'`.'
);
});

Expand All @@ -82,7 +82,7 @@ describe('getTranslatedDescription', () => {
expect(translated).toHaveLength(1);
expect(isIcuMessage(translated[0])).toBeTruthy();
expect(translated[0]).toBeDisplayString(
'\'unsafe-inline\' allows the execution of unsafe in-page scripts ' +
'`\'unsafe-inline\'` allows the execution of unsafe in-page scripts ' +
'and event handlers. Consider using CSP nonces or hashes to allow scripts individually.'
);
});
Expand Down Expand Up @@ -124,7 +124,7 @@ describe('getTranslatedDescription', () => {
expect(isIcuMessage(translated[0])).toBeTruthy();
expect(translated[0]).toBeDisplayString(
'Host allowlists can frequently be bypassed. Consider using ' +
'CSP nonces or hashes instead, along with \'strict-dynamic\' if necessary.'
'CSP nonces or hashes instead, along with `\'strict-dynamic\'` if necessary.'
);
});

Expand All @@ -137,7 +137,7 @@ describe('getTranslatedDescription', () => {
expect(isIcuMessage(translated[0])).toBeTruthy();
expect(translated[0]).toBeDisplayString(
'Consider adding https: and http: URL schemes (ignored by browsers ' +
'supporting \'strict-dynamic\') to be backward compatible with older browsers.'
'supporting `\'strict-dynamic\'`) to be backward compatible with older browsers.'
);
});

Expand All @@ -149,7 +149,7 @@ describe('getTranslatedDescription', () => {
expect(translated).toHaveLength(1);
expect(isIcuMessage(translated[0])).toBeTruthy();
expect(translated[0]).toBeDisplayString(
'Consider adding \'unsafe-inline\' (ignored by browsers supporting ' +
'Consider adding `\'unsafe-inline\'` (ignored by browsers supporting ' +
'nonces/hashes) to be backward compatible with older browsers.'
);
});
Expand Down Expand Up @@ -235,7 +235,7 @@ describe('getTranslatedDescription', () => {
expect(translated).toHaveLength(1);
expect(isIcuMessage(translated[0])).toBeTruthy();
expect(translated[0]).toBeDisplayString(
'reflected-xss is deprecated since CSP2. ' +
'`reflected-xss` is deprecated since CSP2. ' +
'Please, use the X-XSS-Protection header instead.'
);
});
Expand All @@ -250,7 +250,7 @@ describe('getTranslatedDescription', () => {
expect(translated).toHaveLength(1);
expect(isIcuMessage(translated[0])).toBeTruthy();
expect(translated[0]).toBeDisplayString(
'referrer is deprecated since CSP2. ' +
'`referrer` is deprecated since CSP2. ' +
'Please, use the Referrer-Policy header instead.'
);
});
Expand All @@ -265,7 +265,7 @@ describe('getTranslatedDescription', () => {
expect(translated).toHaveLength(1);
expect(isIcuMessage(translated[0])).toBeTruthy();
expect(translated[0]).toBeDisplayString(
'disown-opener is deprecated since CSP3. ' +
'`disown-opener` is deprecated since CSP3. ' +
'Please, use the Cross-Origin-Opener-Policy header instead.'
);
});
Expand Down
24 changes: 12 additions & 12 deletions shared/localization/locales/en-US.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading