GoogleChrome · connorjclark · Oct 3, 2023 · Oct 3, 2023 · Oct 3, 2023 · Oct 3, 2023
@@ -21,7 +21,7 @@ const UIStrings = {
   /** Summary text for the results of a Lighthouse audit that evaluates the security of a page's CSP. This is displayed if no CSP is being enforced. "CSP" stands for "Content Security Policy". "CSP" does not need to be translated. */
   noCsp: 'No CSP found in enforcement mode',
   /** Message shown when one or more CSPs are defined in a <meta> tag. Shown in a table with a list of other CSP bypasses and warnings. "CSP" stands for "Content Security Policy". "CSP" and "HTTP" do not need to be translated. */
-  metaTagMessage: 'The page contains a CSP defined in a <meta> tag. ' +
+  metaTagMessage: 'The page contains a CSP defined in a `<meta>` tag. ' +
     'Consider moving the CSP to an HTTP header or ' +
     'defining another strict CSP in an HTTP header.',
   /** Label for a column in a data table; entries will be a directive of a CSP. "CSP" stands for "Content Security Policy". */

@@ -19,31 +19,31 @@ import {isIcuMessage} from '../../shared/localization/format.js';
 
 const UIStrings = {
   /** Message shown when a CSP does not have a base-uri directive. Shown in a table with a list of other CSP vulnerabilities and suggestions. "CSP" stands for "Content Security Policy". "base-uri", "'none'", and "'self'" do not need to be translated. */
-  missingBaseUri: 'Missing base-uri allows injected <base> tags to set the base URL for all ' +
+  missingBaseUri: 'Missing `base-uri` allows injected `<base>` tags to set the base URL for all ' +
     'relative URLs (e.g. scripts) to an attacker controlled domain. ' +
-    'Consider setting base-uri to \'none\' or \'self\'.',
+    'Consider setting `base-uri` to `\'none\'` or `\'self\'`.',
   /** Message shown when a CSP does not have a script-src directive. Shown in a table with a list of other CSP vulnerabilities and suggestions. "CSP" stands for "Content Security Policy". "script-src" does not need to be translated. */
-  missingScriptSrc: 'script-src directive is missing. ' +
+  missingScriptSrc: '`script-src` directive is missing. ' +
     'This can allow the execution of unsafe scripts.',
   /** Message shown when a CSP does not have a script-src directive. Shown in a table with a list of other CSP vulnerabilities and suggestions. "CSP" stands for "Content Security Policy". "object-src" and "'none'" do not need to be translated. */
-  missingObjectSrc: 'Missing object-src allows the injection of plugins ' +
-    'that execute unsafe scripts. Consider setting object-src to \'none\' if you can.',
+  missingObjectSrc: 'Missing `object-src` allows the injection of plugins ' +
+    'that execute unsafe scripts. Consider setting `object-src` to `\'none\'` if you can.',
   /** Message shown when a CSP uses a domain allowlist to filter out malicious scripts. Shown in a table with a list of other CSP vulnerabilities and suggestions. "CSP" stands for "Content Security Policy". "CSP", "'strict-dynamic'", "nonces", and "hashes" do not need to be translated. "allowlists" can be interpreted as "whitelist". */
   strictDynamic: 'Host allowlists can frequently be bypassed. Consider using ' +
-    'CSP nonces or hashes instead, along with \'strict-dynamic\' if necessary.',
+    'CSP nonces or hashes instead, along with `strict-dynamic` if necessary.',
   /** Message shown when a CSP allows inline scripts to be run in the page. Shown in a table with a list of other CSP vulnerabilities and suggestions. "CSP" stands for "Content Security Policy". "CSP", "'unsafe-inline'", "nonces", and "hashes" do not need to be translated. */
-  unsafeInline: '\'unsafe-inline\' allows the execution of unsafe in-page scripts ' +
+  unsafeInline: '`unsafe-inline` allows the execution of unsafe in-page scripts ' +
     'and event handlers. Consider using CSP nonces or hashes to allow scripts individually.',
   /** Message shown when a CSP is not backwards compatible with browsers that do not support CSP nonces/hashes. Shown in a table with a list of other CSP vulnerabilities and suggestions. "CSP" stands for "Content Security Policy". "'unsafe-inline'", "nonces", and "hashes" do not need to be translated. */
-  unsafeInlineFallback: 'Consider adding \'unsafe-inline\' (ignored by browsers supporting ' +
+  unsafeInlineFallback: 'Consider adding `unsafe-inline` (ignored by browsers supporting ' +
     'nonces/hashes) to be backward compatible with older browsers.',
   /** Message shown when a CSP is not backwards compatible with browsers that do not support the 'strict-dynamic' keyword. Shown in a table with a list of other CSP vulnerabilities and suggestions. "CSP" stands for "Content Security Policy". "http:", "https:", and "'strict-dynamic'" do not need to be translated. */
   allowlistFallback: 'Consider adding https: and http: URL schemes (ignored by browsers ' +
-    'supporting \'strict-dynamic\') to be backward compatible with older browsers.',
+    'supporting `strict-dynamic`) to be backward compatible with older browsers.',
   /** Message shown when a CSP only provides a reporting destination through the report-to directive. Shown in a table with a list of other CSP vulnerabilities and suggestions. "CSP" stands for "Content Security Policy". "report-to", "report-uri", and "Chromium" do not need to be translated. */
   reportToOnly: 'The reporting destination is only configured via the report-to directive. ' +
     'This directive is only supported in Chromium-based browsers so it is ' +
-    'recommended to also use a report-uri directive.',
+    'recommended to also use a `report-uri` directive.',
   /** Message shown when a CSP does not provide a reporting destination. Shown in a table with a list of other CSP vulnerabilities and suggestions. "CSP" stands for "Content Security Policy". "CSP" does not need to be translated. */
   reportingDestinationMissing: 'No CSP configures a reporting destination. ' +
     'This makes it difficult to maintain the CSP over time and monitor for any breakages.',
@@ -65,13 +65,13 @@ const UIStrings = {
    */
   unknownKeyword: '{keyword} seems to be an invalid keyword.',
   /** Message shown when a CSP uses the deprecated reflected-xss directive. Shown in a table with a list of other CSP vulnerabilities and suggestions. "CSP" stands for "Content Security Policy". "reflected-xss", "CSP2" and "X-XSS-Protection" do not need to be translated. */
-  deprecatedReflectedXSS: 'reflected-xss is deprecated since CSP2. ' +
+  deprecatedReflectedXSS: '`reflected-xss` is deprecated since CSP2. ' +
     'Please, use the X-XSS-Protection header instead.',
   /** Message shown when a CSP uses the deprecated referrer directive. Shown in a table with a list of other CSP vulnerabilities and suggestions. "CSP" stands for "Content Security Policy". "referrer", "CSP2" and "Referrer-Policy" do not need to be translated. */
-  deprecatedReferrer: 'referrer is deprecated since CSP2. ' +
+  deprecatedReferrer: '`referrer` is deprecated since CSP2. ' +
     'Please, use the Referrer-Policy header instead.',
   /** Message shown when a CSP uses the deprecated disown-opener directive. Shown in a table with a list of other CSP vulnerabilities and suggestions. "CSP" stands for "Content Security Policy". "disown-opener", "CSP3" and "Cross-Origin-Opener-Policy" do not need to be translated. */
-  deprecatedDisownOpener: 'disown-opener is deprecated since CSP3. ' +
+  deprecatedDisownOpener: '`disown-opener` is deprecated since CSP3. ' +
     'Please, use the Cross-Origin-Opener-Policy header instead.',
   /**
    * @description Message shown when a CSP wildcard allows unsafe scripts to be run in the page. Shown in a table with a list of other CSP vulnerabilities and suggestions. "CSP" stands for "Content Security Policy".

@@ -26,26 +26,26 @@ const STATIC_RESULTS = {
     severity: SEVERITY.high,
     description: {
       formattedDefault:
-        'Missing object-src allows the injection of plugins that execute unsafe scripts. ' +
-        'Consider setting object-src to \'none\' if you can.',
+        'Missing `object-src` allows the injection of plugins that execute unsafe scripts. ' +
+        'Consider setting `object-src` to `\'none\'` if you can.',
     },
     directive: 'object-src',
   },
   noBaseUri: {
     severity: SEVERITY.high,
     description: {
       formattedDefault:
-        'Missing base-uri allows injected <base> tags to set the base URL for all ' +
+        'Missing `base-uri` allows injected `<base>` tags to set the base URL for all ' +
         'relative URLs (e.g. scripts) to an attacker controlled domain. ' +
-        'Consider setting base-uri to \'none\' or \'self\'.',
+        'Consider setting `base-uri` to `\'none\'` or `\'self\'`.',
     },
     directive: 'base-uri',
   },
   metaTag: {
     severity: SEVERITY.medium,
     description: {
       formattedDefault:
-        'The page contains a CSP defined in a <meta> tag. ' +
+        'The page contains a CSP defined in a `<meta>` tag. ' +
         'Consider moving the CSP to an HTTP header or ' +
         'defining another strict CSP in an HTTP header.',
     },
@@ -55,7 +55,7 @@ const STATIC_RESULTS = {
     severity: SEVERITY.medium,
     description: {
       formattedDefault:
-        'Consider adding \'unsafe-inline\' (ignored by browsers supporting ' +
+        'Consider adding `unsafe-inline` (ignored by browsers supporting ' +
         'nonces/hashes) to be backward compatible with older browsers.',
     },
     directive: 'script-src',

@@ -43,7 +43,7 @@ describe('getTranslatedDescription', () => {
     expect(translated).toHaveLength(1);
     expect(isIcuMessage(translated[0])).toBeTruthy();
     expect(translated[0]).toBeDisplayString(
-      'script-src directive is missing. This can allow the execution of unsafe scripts.'
+      '`script-src` directive is missing. This can allow the execution of unsafe scripts.'
     );
   });
 
@@ -55,8 +55,8 @@ describe('getTranslatedDescription', () => {
     expect(translated).toHaveLength(1);
     expect(isIcuMessage(translated[0])).toBeTruthy();
     expect(translated[0]).toBeDisplayString(
-      'Missing object-src allows the injection of plugins that execute unsafe scripts. ' +
-      'Consider setting object-src to \'none\' if you can.'
+      'Missing `object-src` allows the injection of plugins that execute unsafe scripts. ' +
+      'Consider setting `object-src` to `\'none\'` if you can.'
     );
   });
 
@@ -68,9 +68,9 @@ describe('getTranslatedDescription', () => {
     expect(translated).toHaveLength(1);
     expect(isIcuMessage(translated[0])).toBeTruthy();
     expect(translated[0]).toBeDisplayString(
-      'Missing base-uri allows injected <base> tags to set the base URL for all ' +
+      'Missing `base-uri` allows injected `<base>` tags to set the base URL for all ' +
       'relative URLs (e.g. scripts) to an attacker controlled domain. ' +
-      'Consider setting base-uri to \'none\' or \'self\'.'
+      'Consider setting `base-uri` to `\'none\'` or `\'self\'`.'
     );
   });
 
@@ -82,7 +82,7 @@ describe('getTranslatedDescription', () => {
     expect(translated).toHaveLength(1);
     expect(isIcuMessage(translated[0])).toBeTruthy();
     expect(translated[0]).toBeDisplayString(
-      '\'unsafe-inline\' allows the execution of unsafe in-page scripts ' +
+      '`unsafe-inline` allows the execution of unsafe in-page scripts ' +
       'and event handlers. Consider using CSP nonces or hashes to allow scripts individually.'
     );
   });
@@ -124,7 +124,7 @@ describe('getTranslatedDescription', () => {
     expect(isIcuMessage(translated[0])).toBeTruthy();
     expect(translated[0]).toBeDisplayString(
       'Host allowlists can frequently be bypassed. Consider using ' +
-      'CSP nonces or hashes instead, along with \'strict-dynamic\' if necessary.'
+      'CSP nonces or hashes instead, along with `strict-dynamic` if necessary.'
     );
   });
 
@@ -137,7 +137,7 @@ describe('getTranslatedDescription', () => {
     expect(isIcuMessage(translated[0])).toBeTruthy();
     expect(translated[0]).toBeDisplayString(
       'Consider adding https: and http: URL schemes (ignored by browsers ' +
-      'supporting \'strict-dynamic\') to be backward compatible with older browsers.'
+      'supporting `strict-dynamic`) to be backward compatible with older browsers.'
     );
   });
 
@@ -149,7 +149,7 @@ describe('getTranslatedDescription', () => {
     expect(translated).toHaveLength(1);
     expect(isIcuMessage(translated[0])).toBeTruthy();
     expect(translated[0]).toBeDisplayString(
-      'Consider adding \'unsafe-inline\' (ignored by browsers supporting ' +
+      'Consider adding `unsafe-inline` (ignored by browsers supporting ' +
       'nonces/hashes) to be backward compatible with older browsers.'
     );
   });
@@ -235,7 +235,7 @@ describe('getTranslatedDescription', () => {
     expect(translated).toHaveLength(1);
     expect(isIcuMessage(translated[0])).toBeTruthy();
     expect(translated[0]).toBeDisplayString(
-      'reflected-xss is deprecated since CSP2. ' +
+      '`reflected-xss` is deprecated since CSP2. ' +
       'Please, use the X-XSS-Protection header instead.'
     );
   });
@@ -250,7 +250,7 @@ describe('getTranslatedDescription', () => {
     expect(translated).toHaveLength(1);
     expect(isIcuMessage(translated[0])).toBeTruthy();
     expect(translated[0]).toBeDisplayString(
-      'referrer is deprecated since CSP2. ' +
+      '`referrer` is deprecated since CSP2. ' +
       'Please, use the Referrer-Policy header instead.'
     );
   });
@@ -265,7 +265,7 @@ describe('getTranslatedDescription', () => {
     expect(translated).toHaveLength(1);
     expect(isIcuMessage(translated[0])).toBeTruthy();
     expect(translated[0]).toBeDisplayString(
-      'disown-opener is deprecated since CSP3. ' +
+      '`disown-opener` is deprecated since CSP3. ' +
       'Please, use the Cross-Origin-Opener-Policy header instead.'
     );
   });