npm - simdeck - Versions diffs - 0.1.4 → 0.1.5 - Mend

simdeck 0.1.4 → 0.1.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (807) hide show

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/SameSiteWarnStrictLaxDowngradeStrict.md ADDED Viewed

@@ -0,0 +1,8 @@
+# Migrate entirely to HTTPS to continue having cookies sent on same-site requests
+A cookie is being sent to {PLACEHOLDER_destination} origin from {PLACEHOLDER_origin} context on a navigation.
+Because this cookie is being sent across schemes on the same site, it will not be sent in a future version of Chrome.
+This behavior enhances the `SameSite` attribute’s protection of user data from request forgery by network attackers.
+Resolve this issue by migrating your site (as defined by the eTLD+1) entirely to HTTPS.
+It is also recommended to mark the cookie with the `Secure` attribute if that is not already the case.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/arInsecureContext.md ADDED Viewed

@@ -0,0 +1,7 @@
+# Ensure that the attribution registration context is secure
+This page tried to register a source or trigger using the Attribution Reporting
+API but failed because the page that initiated the registration was not secure.
+The registration context must use HTTPS unless it is `localhost` or
+`127.0.0.1`.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/arInvalidInfoHeader.md ADDED Viewed

@@ -0,0 +1,5 @@
+# Ensure that the `Attribution-Reporting-Info` header is valid
+This page tried to register a source or trigger using the Attribution Reporting
+API but failed because an `Attribution-Reporting-Info` response header was
+invalid.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/arInvalidRegisterOsSourceHeader.md ADDED Viewed

@@ -0,0 +1,5 @@
+# Ensure that the `Attribution-Reporting-Register-OS-Source` header is valid
+This page tried to register an OS source using the Attribution Reporting API
+but failed because an `Attribution-Reporting-Register-OS-Source` response
+header was invalid.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/arInvalidRegisterOsTriggerHeader.md ADDED Viewed

@@ -0,0 +1,5 @@
+# Ensure that the `Attribution-Reporting-Register-OS-Trigger` header is valid
+This page tried to register an OS trigger using the Attribution Reporting API
+but failed because an `Attribution-Reporting-Register-OS-Trigger` response
+header was invalid.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/arInvalidRegisterSourceHeader.md ADDED Viewed

@@ -0,0 +1,5 @@
+# Ensure that the `Attribution-Reporting-Register-Source` header is valid
+This page tried to register a source using the Attribution Reporting API but
+failed because an `Attribution-Reporting-Register-Source` response header was
+invalid.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/arInvalidRegisterTriggerHeader.md ADDED Viewed

@@ -0,0 +1,5 @@
+# Ensure that the `Attribution-Reporting-Register-Trigger` header is valid
+This page tried to register a trigger using the Attribution Reporting API but
+failed because an `Attribution-Reporting-Register-Trigger` response header was
+invalid.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/arNavigationRegistrationUniqueScopeAlreadySet.md ADDED Viewed

@@ -0,0 +1,5 @@
+# Ensure that multiple sources associated with the same navigation have the same attribution scopes
+The page tried to register a source using Attribution Reporting API, but the
+source was rejected because a previous source associated with the same
+navigation and reporting origin used a different set of attribution scopes.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/arNavigationRegistrationWithoutTransientUserActivation.md ADDED Viewed

@@ -0,0 +1,6 @@
+# Ensure that navigation-source registrations are initiated by a user gesture
+This page tried to register a navigation source using the Attribution Reporting
+API but failed because the navigation was not initiated by a user gesture.
+Compared to event sources, navigation sources can release more cross-site
+information, and are therefore subject to this additional privacy control.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/arNoRegisterOsSourceHeader.md ADDED Viewed

@@ -0,0 +1,5 @@
+# OS attribution source expected but corresponding header not found
+The page indicated, via the `Attribution-Reporting-Info` header, that it
+intended to register an OS source using the Attribution Reporting API, but the
+corresponding `Attribution-Reporting-Register-OS-Source` header was missing.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/arNoRegisterOsTriggerHeader.md ADDED Viewed

@@ -0,0 +1,5 @@
+# OS attribution trigger expected but corresponding header not found
+The page indicated, via the `Attribution-Reporting-Info` header, that it
+intended to register an OS trigger using the Attribution Reporting API, but the
+corresponding `Attribution-Reporting-Register-OS-Trigger` header was missing.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/arNoRegisterSourceHeader.md ADDED Viewed

@@ -0,0 +1,5 @@
+# Web attribution source expected but corresponding header not found
+The page indicated, via the `Attribution-Reporting-Info` header, that it
+intended to register a web source using the Attribution Reporting API, but the
+corresponding `Attribution-Reporting-Register-Source` header was missing.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/arNoRegisterTriggerHeader.md ADDED Viewed

@@ -0,0 +1,5 @@
+# Web attribution trigger expected but corresponding header not found
+The page indicated, via the `Attribution-Reporting-Info` header, that it
+intended to register a web trigger using the Attribution Reporting API, but the
+corresponding `Attribution-Reporting-Register-Trigger` header was missing.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/arNoWebOrOsSupport.md ADDED Viewed

@@ -0,0 +1,4 @@
+# No web or OS support for Attribution Reporting
+The page tried to send an attributionsrc request, but there was neither web nor
+OS support for the Attribution Reporting API, so the request was skipped.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/arOsSourceIgnored.md ADDED Viewed

@@ -0,0 +1,18 @@
+# An attribution OS source registration was ignored because the request was ineligible
+This page tried to register an OS source using the Attribution Reporting API,
+but the request was ineligible to do so, so the OS source registration was
+ignored.
+A request is eligible for OS source registration if it has all of the following:
+- An `Attribution-Reporting-Eligible` header whose value is a structured
+  dictionary that contains the key `navigation-source` or `event-source`
+- An `Attribution-Reporting-Support` header whose value is a structured
+  dictionary that contains the key `os`
+Otherwise, any `Attribution-Reporting-Register-OS-Source` response header will
+be ignored.
+Additionally, a single HTTP redirect chain may register only all sources or all
+triggers, not a combination of both.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/arOsTriggerIgnored.md ADDED Viewed

@@ -0,0 +1,19 @@
+# An attribution OS trigger registration was ignored because the request was ineligible
+This page tried to register an OS trigger using the Attribution Reporting API,
+but the request was ineligible to do so, so the OS trigger registration was
+ignored.
+A request is eligible for OS trigger registration if it has all of the following:
+- No `Attribution-Reporting-Eligible` header or an
+  `Attribution-Reporting-Eligible` header whose value is a structured
+  dictionary that contains the key `trigger`
+- An `Attribution-Reporting-Support` header whose value is a structured
+  dictionary that contains the key `os`
+Otherwise, any `Attribution-Reporting-Register-OS-Trigger` response header will
+be ignored.
+Additionally, a single HTTP redirect chain may register only all sources or all
+triggers, not a combination of both.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/arPermissionPolicyDisabled.md ADDED Viewed

@@ -0,0 +1,8 @@
+# The Attribution Reporting API can’t be used because Permissions Policy has been disabled
+This page tried to use the Attribution Reporting API but failed because the
+`attribution-reporting` Permission Policy was explicitly disabled.
+This API is currently enabled by default for top-level and cross-origin frames,
+but it is still possible for frames to have the permission disabled by their
+parent, e.g. with `<iframe src="…" allow="attribution-reporting 'none'">`.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/arSourceAndTriggerHeaders.md ADDED Viewed

@@ -0,0 +1,9 @@
+# Ensure that attribution responses contain either source or trigger, not both
+This page tried to register a source and a trigger in the same HTTP response
+using the Attribution Reporting API, which is prohibited.
+The corresponding request was eligible to register either a source or a
+trigger, but the response may only set either the
+`Attribution-Reporting-Register-Source` header or the
+`Attribution-Reporting-Register-Trigger` header, not both.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/arSourceIgnored.md ADDED Viewed

@@ -0,0 +1,13 @@
+# An attribution source registration was ignored because the request was ineligible
+This page tried to register a source using the Attribution Reporting API, but
+the request was ineligible to do so, so the source registration was ignored.
+A request is eligible for source registration if it has an
+`Attribution-Reporting-Eligible` header whose value is a structured dictionary
+that contains the key `navigation-source` or `event-source`. If the header is
+absent or does not contain one of those keys, any
+`Attribution-Reporting-Register-Source` response header will be ignored.
+Additionally, a single HTTP redirect chain may register only all sources or all
+triggers, not a combination of both.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/arTriggerIgnored.md ADDED Viewed

@@ -0,0 +1,12 @@
+# An attribution trigger registration was ignored because the request was ineligible
+This page tried to register a trigger using the Attribution Reporting API, but
+the request was ineligible to do so, so the trigger registration was ignored.
+A request is eligible for trigger registration if it has an
+`Attribution-Reporting-Eligible` header whose value is a structured dictionary
+that contains the key `trigger`, or if the header is absent. Otherwise, any
+`Attribution-Reporting-Register-Trigger` response header will be ignored.
+Additionally, a single HTTP redirect chain may register only all sources or all
+triggers, not a combination of both.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/arUntrustworthyReportingOrigin.md ADDED Viewed

@@ -0,0 +1,10 @@
+# Ensure that attribution reporting origins are trustworthy
+This page tried to register a source or trigger using the Attribution Reporting
+API but failed because the reporting origin was not potentially trustworthy.
+The reporting origin is typically the server that sets the
+`Attribution-Reporting-Register-Source` or
+`Attribution-Reporting-Register-Trigger` header.
+The reporting origin must use HTTPS unless it is `localhost` or `127.0.0.1`.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/arWebAndOsHeaders.md ADDED Viewed

@@ -0,0 +1,11 @@
+# Ensure that attribution responses contain either web or OS headers, not both
+This page included web and OS Attribution Reporting API headers in the same
+HTTP response, which is prohibited.
+The response may set at most one of the following headers:
+- `Attribution-Reporting-Register-OS-Source`
+- `Attribution-Reporting-Register-OS-Trigger`
+- `Attribution-Reporting-Register-Source`
+- `Attribution-Reporting-Register-Trigger`

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/bounceTrackingMitigations.md ADDED Viewed

@@ -0,0 +1,3 @@
+# Chrome may soon delete state for intermediate websites in a recent navigation chain
+In a recent navigation chain, one or more websites accessed some form of local storage without prior user interaction. If these websites don't get such an interaction soon, Chrome will delete their state.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/clientHintMetaTagAllowListInvalidOrigin.md ADDED Viewed

@@ -0,0 +1,4 @@
+# Client Hint meta tag contained invalid origin
+Items in the delegate-ch meta tag allow list must be valid origins.
+No special values (e.g. self, none, and *) are permitted.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/clientHintMetaTagModifiedHTML.md ADDED Viewed

@@ -0,0 +1,4 @@
+# Client Hint meta tag modified by javascript
+Only delegate-ch meta tags in the original HTML sent from the server
+are respected. Any injected via javascript (or other means) are ignored.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/cookieCrossSiteRedirectDowngrade.md ADDED Viewed

@@ -0,0 +1,12 @@
+# Cookie is blocked due to a cross-site redirect chain
+The cookie was blocked because the URL redirect chain was not fully same-site,
+meaning the final request was treated as a cross-site request.
+Like other cross-site requests, this blocks cookies with `SameSite=Lax` or
+`SameSite=Strict`.
+For example: If site A redirects to site B which then redirects back to site A,
+the final request to site A will be a cross-site request.
+If this behavior is causing breakage, please file a bug report with the link
+below.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/cookieExcludeBlockedWithinRelatedWebsiteSet.md ADDED Viewed

@@ -0,0 +1,4 @@
+# Third-party cookie blocked within the same Related Website Set
+A cookie embedded by a site in the top-level page's Related Website Set was blocked
+by third-party cookie blocking.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/cookieExcludeDomainNonAscii.md ADDED Viewed

@@ -0,0 +1,11 @@
+# Ensure cookie `Domain` attribute values only contain ASCII characters
+`Domain` attributes in cookies are restricted to the ASCII character set. Any
+cookies that contain characters outside of the ASCII range in their `Domain`
+attribute will be ignored.
+To resolve this issue, you need to remove all non-ASCII characters from the
+`Domain` attribute of the affected cookies.
+If your site has an internationalized domain name (IDN), you should use
+[punycode](punycodeReference) representation for the `Domain` attribute instead.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/cookieExcludePortMismatch.md ADDED Viewed

@@ -0,0 +1,8 @@
+# Cookie was not sent due to port mismatch
+Cookies can only be accessed by origins that share the same port as the origin
+that initially set the cookie.
+If this cookie is required for the request, the cookie will need to be set by an
+origin with the same port as the request. Alternatively, you can utilize the
+Domain attribute, which allows access to a cookie with a mismatched port.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/cookieExcludeSchemeMismatch.md ADDED Viewed

@@ -0,0 +1,7 @@
+# Cookie was not sent due to scheme mismatch
+The cookie can only be accessed by origins that share the same scheme as
+the origin that initially set it.
+If this cookie is required for the request, the cookie will need to be set
+by an origin with the same scheme as the request.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/cookieExcludeThirdPartyPhaseoutRead.md ADDED Viewed

@@ -0,0 +1,6 @@
+# Reading third-party cookie is blocked
+Cookies with the `SameSite=None; Secure` and not `Partitioned` attributes that operate in cross-site contexts are third-party cookies.
+Third-party cookies are restricted for this browser either because of Chrome flags or browser configuration.
+Learn more from the linked article about preparing your site to avoid potential breakage due to this.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/cookieExcludeThirdPartyPhaseoutSet.md ADDED Viewed

@@ -0,0 +1,6 @@
+# Setting third-party cookie is blocked
+Cookies with the `SameSite=None; Secure` and not `Partitioned` attributes that operate in cross-site contexts are third-party cookies.
+Third-party cookies are restricted for this browser either because of Chrome flags or browser configuration.
+Learn more from the linked article about preparing your site to avoid potential breakage due to this.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/cookieWarnDomainNonAscii.md ADDED Viewed

@@ -0,0 +1,11 @@
+# Ensure cookie `Domain` attribute values only contain ASCII characters
+`Domain` attributes in cookies are restricted to the ASCII character set. Any
+cookies that contain characters outside of the ASCII range in their `Domain`
+attribute will be ignored in the future.
+To resolve this issue, you need to remove all non-ASCII characters from the
+`Domain` attribute of the affected cookies.
+If your site has an internationalized domain name (IDN), you should use
+[punycode](punycodeReference) representation for the `Domain` attribute instead.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/cookieWarnMetadataGrantRead.md ADDED Viewed

@@ -0,0 +1,4 @@
+# Third-party websites are allowed to read cookies on this page
+One or more websites are allowed to bypass user settings to read third-party cookies on this page. Web developers should take steps to remove these reads without disrupting user experience. To forcefully block these third-party cookies, update [user settings](manageCookiesHelpPage).
+{PLACEHOLDER_topleveloptout}

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/cookieWarnMetadataGrantSet.md ADDED Viewed

@@ -0,0 +1,4 @@
+# Third-party websites are allowed to set cookies on this page
+One or more websites are allowed to bypass user settings to set third-party cookies on this page. Web developers should take steps to remove these sets without disrupting user experience. To forcefully block these third-party cookies, update [user settings](manageCookiesHelpPage).
+{PLACEHOLDER_topleveloptout}

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/cookieWarnThirdPartyPhaseoutRead.md ADDED Viewed

@@ -0,0 +1,6 @@
+# Reading cookie in cross-site context may be impacted on Chrome
+Cookies with the `SameSite=None; Secure` and not `Partitioned` attributes that operate in cross-site contexts are third-party cookies.
+Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
+Learn more from the linked article about preparing your site to avoid potential breakage.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/cookieWarnThirdPartyPhaseoutSet.md ADDED Viewed

@@ -0,0 +1,6 @@
+# Setting cookie in cross-site context may be impacted on Chrome
+Cookies with the `SameSite=None; Secure` and not `Partitioned` attributes that operate in cross-site contexts are third-party cookies.
+Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies
+Learn more from the linked article about preparing your site to avoid potential breakage.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/corsAllowCredentialsRequired.md ADDED Viewed

@@ -0,0 +1,6 @@
+# Ensure CORS requests include credentials only when allowed
+A cross-origin resource sharing (CORS) request was blocked because it was configured to include credentials but the `Access-Control-Allow-Credentials` response header of the request or the associated preflight request was not set to `true`.
+To fix this issue, ensure that resources that expect credentialed CORS requests set the `Access-Control-Allow-Credentials` header to `true`.
+Note that this requires the `Access-Control-Allow-Origin` header to not be a wildcard `*`.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/corsDisabledScheme.md ADDED Viewed

@@ -0,0 +1,7 @@
+# Ensure CORS requests are made on supported schemes
+A cross-origin resource sharing (CORS) request was blocked because the scheme of the request's URL doesn't support CORS.
+To fix this issue, ensure all CORS request URLs specify a supported scheme, e.g. most commonly https://.
+Note that if an opaque response is sufficient, then for some schemes the request's mode can be set to `no-cors` to fetch the resource with CORS disabled; that way the scheme doesn't need to support CORS, but the response content is inaccessible (opaque).

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/corsDisallowedByMode.md ADDED Viewed

@@ -0,0 +1,7 @@
+# Ensure only same-origin resources are fetched with same-origin request mode
+A cross-origin resource sharing (CORS) request to a cross-origin resource was blocked because the request mode was set to `same-origin`.
+To fix this issue, ensure that only same-origin resources are fetched with the `same-origin` request mode. If you need to fetch a cross-origin resource, use a request mode such as `cors`.
+Note that if an opaque response is sufficient, the request's mode can be set to `no-cors` to fetch the resource with CORS disabled; that way CORS headers are not required but the response content is inaccessible (opaque).

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/corsHeaderDisallowedByPreflightResponse.md ADDED Viewed

@@ -0,0 +1,5 @@
+# Ensure CORS request includes only allowed headers
+A cross-origin resource sharing (CORS) request was blocked because it contained request headers that were neither CORS-safelisted (`Accept`, `Accept-Language`, `Content-Language`, `Content-Type`) nor allowed by the `Access-Control-Allow-Headers` response header of the associated preflight request.
+To fix this issue, include the additional request headers you want to use in the `Access-Control-Allow-Headers` response header of the associated preflight request.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/corsInsecurePrivateNetwork.md ADDED Viewed

@@ -0,0 +1,10 @@
+# Ensure private network requests are made from secure contexts
+A site requested a resource from a network that it could only access because of its users' privileged network position.
+These requests expose devices and servers to the internet, increasing the risk of a cross-site request forgery (CSRF) attack, and/or information leakage.
+To mitigate these risks, Chrome deprecates requests to non-public subresources when initiated from non-secure contexts. See the [feature status](PNASecureContextRestrictionFeatureStatus).
+To fix this issue, migrate the website that needs to access local resources to HTTPS. If the target resource is not served on localhost, it must also be served on HTTPS to avoid mixed-content issues.
+Administrators can make use of the `InsecurePrivateNetworkRequestsAllowed` and `InsecurePrivateNetworkRequestsAllowedForUrls` enterprise policies to temporarily disable this restriction on all or certain websites.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/corsInvalidHeaderValues.md ADDED Viewed

@@ -0,0 +1,7 @@
+# Ensure CORS response header values are valid
+A cross-origin resource sharing (CORS) request was blocked because of invalid or missing response headers of the request or the associated [preflight request](issueCorsPreflightRequest).
+To fix this issue, ensure the response to the CORS request and/or the associated [preflight request](issueCorsPreflightRequest) are not missing headers and use valid header values.
+Note that if an opaque response is sufficient, the request's mode can be set to `no-cors` to fetch the resource with CORS disabled; that way CORS headers are not required but the response content is inaccessible (opaque).

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/corsLocalNetworkAccessPermissionDenied.md ADDED Viewed

@@ -0,0 +1,19 @@
+# Ensure that local network requests are compatible with upcoming restrictions
+A site requested a resource from a network that it could only access because of
+its users' privileged network position.
+These requests expose devices and servers to the internet, increasing the risk
+of a cross-site request forgery (CSRF) attack and/or information leakage.
+To mitigate these risks, Chrome will begin requiring the user grant explicit
+permission before a site can make local network requests. Local network requests
+are those that go to either private IP addresses, .local domains, or loopback
+addresses. Additionally, Chrome will block local network requests (both
+subframes and subresources) when initiated from non-secure contexts.
+If the user explicitly grants the permission, the site can make local network
+requests over HTTP for hostnames that are private IP addresses, .local
+hostnames, or to localhost. Sites can also set the `targetAddressSpace` fetch
+option to `private` or `local` to mark requests as being local network requests,
+which will allow them to be made over HTTP.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/corsMethodDisallowedByPreflightResponse.md ADDED Viewed

@@ -0,0 +1,5 @@
+# Ensure CORS request uses allowed method
+A cross-origin resource sharing (CORS) request was blocked because it neither uses one of the CORS-safelisted methods (`GET`, `HEAD`, `POST`) nor was the request method explicitly allowed by the `Access-Control-Allow-Methods` response header of the associated [preflight request](issueCorsPreflightRequest).
+To fix this issue, include the request method in the `Access-Control-Allow-Methods` header of the associated preflight request.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/corsNoCorsRedirectModeNotFollow.md ADDED Viewed

@@ -0,0 +1,5 @@
+# Ensure no-cors requests configure redirect mode follow
+A cross-origin resource sharing (CORS) request was blocked because it was configured to use request mode `no-cors` but did not use the redirect mode `follow`.
+To fix this issue, ensure that whenever the request mode `no-cors` is set then the redirect mode is set to `follow`.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/corsOriginMismatch.md ADDED Viewed

@@ -0,0 +1,6 @@
+# Ensure CORS requesting origin matches resource's allowed origin
+A cross-origin resource sharing (CORS) request was blocked because the `Access-Control-Allow-Origin` response header of the request or the associated [preflight request](issueCorsPreflightRequest) specified an origin different from the origin of the context that initiated the request.
+To fix this issue, ensure that the `Access-Control-Allow-Origin` header for the resource matches the request context's origin.
+If the resource never needs to be accessed with credentials, the `Access-Control-Allow-Origin` header may be set to a wildcard `*` to allow access from everywhere.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/corsPreflightAllowPrivateNetworkError.md ADDED Viewed

@@ -0,0 +1,10 @@
+# Ensure private network requests are only made to resources that allow them
+A site requested a resource from a network that it could only access because of its users' privileged network position.
+These requests expose devices and servers to the internet, increasing the risk of a cross-site request forgery (CSRF) attack, and/or information leakage.
+To mitigate these risks, Chrome will require non-public subresources to opt-into being accessed with a preflight request and will start blocking them in Chrome 130 (October 2024).
+To fix this issue, ensure that response to the [preflight request](issueCorsPreflightRequest) for the private network resource has the `Access-Control-Allow-Private-Network` header set to `true`.
+Administrators can make use of the `InsecurePrivateNetworkRequestsAllowed` and `InsecurePrivateNetworkRequestsAllowedForUrls` enterprise policies to temporarily disable this restriction on all or certain websites.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/corsPreflightResponseInvalid.md ADDED Viewed

@@ -0,0 +1,5 @@
+# Ensure preflight responses are valid
+A cross-origin resource sharing (CORS) request was blocked because the response to the associated [preflight request](issueCorsPreflightRequest) failed, had an unsuccessful HTTP status code, and/or was a redirect.
+To fix this issue, ensure all CORS preflight `OPTIONS` requests are answered with a successful HTTP status code (2xx) and do not redirect.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/corsPrivateNetworkPermissionDenied.md ADDED Viewed

@@ -0,0 +1,10 @@
+# Ensure that private network requests made from secure context to plaintext resources can gain access based on user permission
+A site requested a resource from a network that it could only access because of its users' privileged network position.
+These requests expose devices and servers to the internet, increasing the risk of a cross-site request forgery (CSRF) attack and/or information leakage.
+To mitigate these risks, Chrome deprecates requests to non-public subresources when initiated from non-secure contexts. See the [feature status](PNASecureContextRestrictionFeatureStatus).
+Setting a `targetAddressSpace` fetch option to `private` or `local` allows secure contexts to fetch private network resources over HTTP, which is normally forbidden by mixed-content checks. The target server must respond affirmatively to a preflight request, and the user must grant explicit permission.
+Make sure that the response to the [preflight request](issueCorsPreflightRequest) for the private network resource has the `Private-Network-Access-Id` and `Private-Network-Access-Name` header properly set. `Private-Network-Access-Id` should be the device's MAC address and `Private-Network-Access-Name` should be a human-friendly device name.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/corsRedirectContainsCredentials.md ADDED Viewed

@@ -0,0 +1,5 @@
+# Ensure CORS requests are not redirected to URLs containing credentials
+A cross-origin resource sharing (CORS) request was blocked because the response was a redirect to a URL that includes credentials, i.e. redirected to a URL of the form `https://username:password@example.com`.
+To fix this issue, ensure CORS requests are not redirected to URLs that include credentials.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/corsWildcardOriginNotAllowed.md ADDED Viewed

@@ -0,0 +1,8 @@
+# Ensure credentialed requests are not sent to CORS resources with origin wildcards
+A cross-origin resource sharing (CORS) request was blocked because it was configured to `include` credentials and the `Access-Control-Allow-Origin` response header of the request or the associated [preflight request](issueCorsPreflightRequest) was set to a wildcard `*`. CORS requests may only include credentials for resources where the `Access-Control-Allow-Origin` header is not a wildcard.
+To fix this issue, ensure that either the request is configured to not include credentials, or change the `Access-Control-Allow-Origin` header of the resource to not be a wildcard.
+Note that if an opaque response is sufficient, the request's mode can be set to `no-cors` to fetch the resource with CORS disabled; that way CORS headers are not required but credentials are not sent and the response content is inaccessible (opaque).

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/cspEvalViolation.md ADDED Viewed

@@ -0,0 +1,9 @@
+# Content Security Policy of your site blocks the use of 'eval' in JavaScript`
+The Content Security Policy (CSP) prevents the evaluation of arbitrary strings as JavaScript to make it more difficult for an attacker to inject unathorized code on your site.
+To solve this issue, avoid using `eval()`, `new Function()`, `setTimeout([string], ...)` and `setInterval([string], ...)` for evaluating strings.
+If you absolutely must: you can enable string evaluation by adding `unsafe-eval` as an allowed source in a `script-src` directive.
+⚠️ Allowing string evaluation comes at the risk of inline script injection.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/cspInlineViolation.md ADDED Viewed

@@ -0,0 +1,10 @@
+# Content Security Policy blocks inline execution of scripts and stylesheets
+The Content Security Policy (CSP) prevents cross-site scripting attacks by blocking inline execution of scripts and style sheets.
+To solve this, move all inline scripts (e.g. `onclick=[JS code]`) and styles into external files.
+⚠️ Allowing inline execution comes at the risk of script injection via injection of HTML script elements. If you absolutely must, you can allow inline script and styles by:
+* adding `unsafe-inline` as a source to the CSP header
+* adding the hash or nonce of the inline script to your CSP header.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/cspTrustedTypesPolicyViolation.md ADDED Viewed

@@ -0,0 +1,5 @@
+# Trusted Type policy creation blocked by Content Security Policy
+Your site tries to create a Trusted Type policy that has not been allowed by the Content Security Policy. The Content Security Policy may restrict the set of valid names for Trusted Type policies, and forbid more than one policy of each name.
+To solve this, make sure that the names of the policies listed below are declared in the `trusted-types` CSP directive. To allow redefining policies add the `allow-duplicates` keyword. If you want to remove all restrictions on policy names, remove the `trusted-types` directive entirely (not recommended).

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/cspTrustedTypesSinkViolation.md ADDED Viewed

@@ -0,0 +1,8 @@
+# Trusted Type expected, but String received
+Your site tries to use a plain string in a DOM modification where a Trusted Type is expected. Requiring Trusted Types for DOM modifications helps to prevent cross-site scripting attacks.
+To solve this, provide a Trusted Type to all the DOM modifications listed below. You can convert a string into a Trusted Type by:
+* defining a policy and using its corresponding `createHTML`, `createScript` or `createScriptURL` function.
+* defining a policy named `default` which will be automatically called.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/cspURLViolation.md ADDED Viewed

@@ -0,0 +1,10 @@
+# Content Security Policy of your site blocks some resources
+Some resources are blocked because their origin is not listed in your site's Content Security Policy (CSP). Your site's CSP is allowlist-based, so resources must be listed in the allowlist in order to be accessed.
+A site's Content Security Policy is set either via an HTTP header (recommended), or via a meta HTML tag.
+To fix this issue do one of the following:
+* (Recommended) If you're using an allowlist for `'script-src'`, consider switching from an allowlist CSP to a strict CSP, because strict CSPs are [more robust against XSS](issuesCSPWhyStrictOverAllowlist). [See how to set a strict CSP](issuesCSPSetStrict).
+* Or carefully check that all of the blocked resources are trustworthy; if they are, include their sources in the CSP of your site. ⚠️Never add a source you don't trust to your site's CSP. If you don't trust the source, consider hosting resources on your own site instead.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/deprecation.md ADDED Viewed

@@ -0,0 +1,3 @@
+# {PLACEHOLDER_title}
+{PLACEHOLDER_message}

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/federatedAuthRequestAccountsHttpNotFound.md ADDED Viewed

	@@ -0,0 +1 @@
1	+ # The provider's accounts list endpoint cannot be found.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/federatedAuthRequestAccountsInvalidResponse.md ADDED Viewed

	@@ -0,0 +1 @@
1	+ # Provider's accounts list is invalid.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/federatedAuthRequestAccountsNoResponse.md ADDED Viewed

	@@ -0,0 +1 @@
1	+ # The response body is empty when fetching the provider's accounts list.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/federatedAuthRequestApprovalDeclined.md ADDED Viewed

	@@ -0,0 +1 @@
1	+ # User declined the sign-in attempt.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/federatedAuthRequestCanceled.md ADDED Viewed

	@@ -0,0 +1 @@
1	+ # The request has been aborted.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/federatedAuthRequestClientMetadataHttpNotFound.md ADDED Viewed

	@@ -0,0 +1 @@
1	+ # The provider's client metadata endpoint cannot be found.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/federatedAuthRequestClientMetadataInvalidResponse.md ADDED Viewed

	@@ -0,0 +1 @@
1	+ # Provider's client metadata is invalid.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/federatedAuthRequestClientMetadataNoResponse.md ADDED Viewed

	@@ -0,0 +1 @@
1	+ # The response body is empty when fetching the provider's client metadata.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/federatedAuthRequestErrorFetchingSignin.md ADDED Viewed

	@@ -0,0 +1 @@
1	+ # Error attempting to reach the provider's sign-in endpoint.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/federatedAuthRequestErrorIdToken.md ADDED Viewed

	@@ -0,0 +1 @@
1	+ # Error retrieving a token.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/federatedAuthRequestIdTokenHttpNotFound.md ADDED Viewed

	@@ -0,0 +1 @@
1	+ # The provider's id token endpoint cannot be found.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/federatedAuthRequestIdTokenInvalidRequest.md ADDED Viewed

	@@ -0,0 +1 @@
1	+ # The token fetching request is invalid.

package/client/dist/chrome-devtools-ui/models/issues_manager/descriptions/federatedAuthRequestIdTokenInvalidResponse.md ADDED Viewed

	@@ -0,0 +1 @@
1	+ # Provider's token is invalid.