From e80d1c14678b9b7ad3c6844aeae22b70974846aa Mon Sep 17 00:00:00 2001 From: Mattia Rollo BID <54687718+Mattia-Rollo@users.noreply.github.com> Date: Sun, 2 Nov 2025 23:23:07 +0100 Subject: [PATCH 1/3] Fix: Use px unit in @property/initial-value example (#41781) * Fix: Use px unit in @property/initial-value example * Add explanation from main page * Update files/en-us/web/css/@property/initial-value/index.md Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * Add back --------- Co-authored-by: Joshua Chen Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- files/en-us/web/css/@property/initial-value/index.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/files/en-us/web/css/@property/initial-value/index.md b/files/en-us/web/css/@property/initial-value/index.md index 33f593f4df5ee34..41214884f08a39b 100644 --- a/files/en-us/web/css/@property/initial-value/index.md +++ b/files/en-us/web/css/@property/initial-value/index.md @@ -17,7 +17,7 @@ If required but missing or invalid, the entire `@property` rule is invalid and i initial-value: rebeccapurple; /* Set initial length value */ -initial-value: 2rem; +initial-value: 16px; ``` ### Values @@ -25,6 +25,8 @@ initial-value: 2rem; A value that matches the type specified in the {{cssxref("@property/syntax", "syntax")}} descriptor. For example, if `syntax` is ``, then the `initial-value` must be a valid {{cssxref("color")}} value. +If the value of the `syntax` descriptor is not the universal syntax definition, the `initial-value` descriptor has to be a [computationally independent](https://drafts.css-houdini.org/css-properties-values-api-1/#computationally-independent) value. This means the value can be converted into a computed value without depending on other values, except for "global" definitions independent of CSS. For example, `10px` is computationally independent—it doesn't change when converted to a computed value. `2in` is also valid, because `1in` is always equivalent to `96px`. However, `3em` is not valid, because the value of an `em` is dependent on the parent's {{cssxref("font-size")}}. + ## Formal definition {{cssinfo}} From 4db798b6db5773ba5dd76511d60e151db65c320e Mon Sep 17 00:00:00 2001 From: Hamish Willee Date: Mon, 3 Nov 2025 10:02:53 +1100 Subject: [PATCH 2/3] FF145 Relnote: Trusted Types early beta (#41518) * FF145 Relnote: Trusted Types early beta * trusted-types-eval - add * Add more items to trusted types sinks * Add note about indirect injection * Apply suggestions from code review Co-authored-by: Brian Smith * Move the injection sink list --------- Co-authored-by: Brian Smith --- .../firefox/experimental_features/index.md | 24 +++---- .../mozilla/firefox/releases/145/index.md | 11 +++ .../en-us/web/api/trusted_types_api/index.md | 68 ++++++++++++++++++- files/en-us/web/http/guides/csp/index.md | 6 +- .../headers/content-security-policy/index.md | 27 ++++++-- 5 files changed, 114 insertions(+), 22 deletions(-) diff --git a/files/en-us/mozilla/firefox/experimental_features/index.md b/files/en-us/mozilla/firefox/experimental_features/index.md index 874df29ace2307a..171b65536c3e8f1 100644 --- a/files/en-us/mozilla/firefox/experimental_features/index.md +++ b/files/en-us/mozilla/firefox/experimental_features/index.md @@ -408,26 +408,20 @@ The {{domxref("CloseWatcher")}} interface allows developers to implement UI comp ### Trusted Types API The [Trusted Types API](/en-US/docs/Web/API/Trusted_Types_API) provides mechanisms to ensure that functions that can potentially be used as vectors for XSS attacks are only able to be called with data that has been validated or sanitized. +The API is enabled in early beta releases ([Firefox bug 1992941](https://bugzil.la/1992941)). -> [!NOTE] -> At the time of writing not enough of the API has been implemented for it to be effectively testable. -> This note will be removed once it is ready. +This includes (non-exhaustively): -This subset of the API has been implemented: - -- {{domxref("TrustedTypePolicyFactory")}}: - - {{domxref("TrustedTypePolicyFactory/getAttributeType", "getAttributeType()")}} and {{domxref("TrustedTypePolicyFactory/getPropertyType", "getPropertyType()")}} ([Firefox bug 1917783](https://bugzil.la/1917783), [Firefox bug 1917784](https://bugzil.la/1917784)). -- The {{domxref("Document.write()", "write()")}} and {{domxref("Document.writeln()","writeln()")}} methods of the {{domxref("Document")}} interface now accept {{domxref("TrustedHTML")}} objects as parameters, in addition to strings. ([Firefox bug 1906301](https://bugzil.la/1906301)). -- The {{domxref("HTMLScriptElement.text","text")}}, {{domxref("HTMLElement.innerText","innerText")}}, and {{domxref("Node.textContent","textContent")}} properties of the {{domxref("HTMLScriptElement")}} interface now accept {{domxref("TrustedScript")}} objects a value, while {{domxref("HTMLScriptElement.src", "src")}} accepts {{domxref("TrustedScriptURL")}} values. ([Firefox bug 1905706](https://bugzil.la/1905706)). -- The {{domxref("Window.setInterval()")}} and {{domxref("Window.setTimeout()")}} methods can be called with a {{domxref("TrustedScript")}}. ([Firefox bug 1931290](https://bugzil.la/1931290)). -- The global [`trustedTypes`](/en-US/docs/Web/API/Window/trustedTypes) property is available for accessing the Trusted Types API. -- The properties {{domxref("Element.innerHTML")}} and {{domxref("ShadowRoot.innerHTML")}} can be called with [trusted types](/en-US/docs/Web/API/Trusted_Types_API). +- Addition of the {{domxref("TrustedTypePolicyFactory")}}, {{domxref("TrustedTypePolicy")}}, {{domxref("TrustedHTML")}}, {{domxref("TrustedScript")}}, {{domxref("TrustedScriptURL")}} interfaces, and the `trustedTypes` property on {{domxref("Window/trustedTypes", "Window")}} and {{domxref("WorkerGlobalScope/trustedTypes", "WorkerGlobalScope")}}. +- Updates to [injection sink interfaces](/en-US/docs/Web/API/Trusted_Types_API#injection_sink_interfaces), such as {{domxref("Element.innerHTML")}} and {{domxref("Document.write()", "document.write()")}}, to allow the `TrustedHTML`, `TrustedScript`, `TrustedScriptURL` to be passed as well as strings. +- Support for the [`require-trusted-types-for`](/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/require-trusted-types-for) and [`trusted-types`](/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/trusted-types) directives, and the [`'trusted-types-eval'`](/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy#trusted-types-eval) keyword, of the {{HTTPHeader("Content-Security-Policy")}} HTTP header. + These can be used to enforce trusted types instead of strings, name the specific policies that are allowed, and to enable [`eval()`](/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval) and similar functions to be used when [Trusted Types](/en-US/docs/Web/API/Trusted_Types_API) are supported and enforced. | Release channel | Version added | Enabled by default? | | ----------------- | ------------- | ------------------- | -| Nightly | 133 | No | -| Developer Edition | 133 | No | -| Beta | 133 | No | +| Nightly | 145 | Yes | +| Developer Edition | 145 | Yes | +| Beta | 145 | Yes | | Release | 133 | No | - `dom.security.trusted_types.enabled` diff --git a/files/en-us/mozilla/firefox/releases/145/index.md b/files/en-us/mozilla/firefox/releases/145/index.md index 3901ce005b3bac5..85f51f23418ae41 100644 --- a/files/en-us/mozilla/firefox/releases/145/index.md +++ b/files/en-us/mozilla/firefox/releases/145/index.md @@ -117,3 +117,14 @@ You can find more such features on the [Experimental features](/en-US/docs/Mozil The CSS `text-decoration-trim` property is supported but currently disabled by default. It allows you to specify {{cssxref("text-decoration")}} start and end offsets to shorten, lengthen, or shift the position of text decorations with respect to the text ([Firefox bug 1979915](https://bugzil.la/1979915)). + +- **Trusted Types API** for scripts (Nightly/Early Beta): `dom.security.trusted_types.enabled` + + The [Trusted Types API](/en-US/docs/Web/API/Trusted_Types_API) is now enabled in early beta releases. ([Firefox bug 1976656](https://bugzil.la/1976656)). + + The changes include: + +- Addition of the {{domxref("TrustedTypePolicyFactory")}}, {{domxref("TrustedTypePolicy")}}, {{domxref("TrustedHTML")}}, {{domxref("TrustedScript")}}, {{domxref("TrustedScriptURL")}} interfaces, and the `trustedTypes` property on {{domxref("Window/trustedTypes", "Window")}} and {{domxref("WorkerGlobalScope/trustedTypes", "WorkerGlobalScope")}}. + - Updates to [injection sink interfaces](/en-US/docs/Web/API/Trusted_Types_API##injection_sink_interfaces) APIs, such as {{domxref("Element.innerHTML")}} and {{domxref("Document.write()", "document.write()")}}, to allow the `TrustedHTML`, `TrustedScript`, `TrustedScriptURL` to be passed as well as strings. + - Support for the [`require-trusted-types-for`](/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/require-trusted-types-for) and [`trusted-types`](/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/trusted-types) directives, and the [`'trusted-types-eval'`](/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy#trusted-types-eval) keyword, of the {{HTTPHeader("Content-Security-Policy")}} HTTP header. + These can be used to enforce trusted types instead of strings, name the specific policies that are allowed, and to enable [`eval()`](/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval) and similar functions to be used when [Trusted Types](/en-US/docs/Web/API/Trusted_Types_API) are supported and enforced. diff --git a/files/en-us/web/api/trusted_types_api/index.md b/files/en-us/web/api/trusted_types_api/index.md index 3e1d59146291f9b..a019bfeacb60cf0 100644 --- a/files/en-us/web/api/trusted_types_api/index.md +++ b/files/en-us/web/api/trusted_types_api/index.md @@ -12,7 +12,7 @@ The **Trusted Types API** gives web developers a way to ensure that input has be ## Concepts and usage -Client-side, or DOM-based, XSS attacks happen when data crafted by an attacker is passed to a browser API that executes that data as code. These APIs are known as _injection sinks_. +Client-side, or DOM-based, XSS attacks happen when data crafted by an attacker is passed to a browser API that executes that data as code. These APIs are known as [_injection sinks_](#injection_sink_interfaces). The Trusted Types API distinguishes three sorts of injection sinks: @@ -134,6 +134,50 @@ element.innerHTML = userInput; > [!NOTE] > It's recommended that you use the default policy only while you are transitioning from legacy code that passes input directly to injection sinks, to code that uses trusted types explicitly. +### Injection sink interfaces + +This section provides an list of "direct" injection sink interfaces. + +Note that there are cases where untrusted strings may be "indirectly injected", such as when an untrusted string is added as the child node of a script element, and then the element is added to the document. +These cases are evaluated the untrusted script is added to the document. + +#### TrustedHTML + +- {{domxref("Document.execCommand()")}} with a `commandName` of [`"insertHTML"`](/en-US/docs/Web/API/Document/execCommand#inserthtml) +- {{domxref("Document.parseHTMLUnsafe_static()")}} +- {{domxref("Document.write()")}} +- {{domxref("Document.writeln()")}} +- {{domxref("DOMParser.parseFromString()")}} +- {{domxref("Element.innerHTML")}} +- {{domxref("Element.insertAdjacentHTML")}} +- {{domxref("Element.outerHTML")}} +- {{domxref("Element.setHTMLUnsafe()")}} +- {{domxref("HTMLIFrameElement.srcdoc")}} +- {{domxref("Range.createContextualFragment()")}} +- {{domxref("ShadowRoot.innerHTML")}} +- {{domxref("ShadowRoot.setHTMLUnsafe()")}} + +#### TrustedScript + +- [`eval()`](/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval) +- [`Element.setAttribute()`](/en-US/docs/Web/API/Element/setAttribute#value) (`value` argument) +- [`Element.setAttributeNS()`](/en-US/docs/Web/API/Element/setAttributeNS#value) (`value` argument) +- [`Function()` constructor](/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function/Function) +- {{domxref("HTMLScriptElement.innerText")}} +- {{domxref("HTMLScriptElement.textContent")}} +- {{domxref("HTMLScriptElement.text")}} +- [`window.setTimeout()`](/en-US/docs/Web/API/Window/setTimeout#code) and [`WorkerGlobalScope.setTimeout()`](/en-US/docs/Web/API/WorkerGlobalScope/setTimeout#code) (`code` argument) +- [`window.setInterval()`](/en-US/docs/Web/API/Window/setInterval#code) and [`WorkerGlobalScope.setInterval()`](/en-US/docs/Web/API/WorkerGlobalScope/setInterval#code) (`code` argument) + +#### TrustedScriptURL + +- {{domxref("HTMLScriptElement.src")}} +- {{domxref("ServiceWorkerContainer.register()")}} +- {{domxref("SvgAnimatedString.baseVal")}} +- {{domxref("WorkerGlobalScope.importScripts()")}} +- `url` argument to [`Worker()` constructor](/en-US/docs/Web/API/Worker/Worker#url) +- `url` argument to [`SharedWorker()` constructor](/en-US/docs/Web/API/SharedWorker/SharedWorker#url) + ### Cross-browser support for trusted types The Trusted Types API is not yet available in all modern browsers, but it is usable everywhere today thanks to [compatibility aids created by the W3C](https://github.com/w3c/trusted-types/tree/main?tab=readme-ov-file#polyfill). @@ -201,6 +245,28 @@ Either way, the injection sink gets sanitized data, and because we could enforce - {{domxref("TrustedTypePolicyFactory")}} - : Creates policies and verifies that Trusted Type object instances were created via one of the policies. +### Extensions to other interfaces + +- {{domxref("Window.trustedTypes")}} + - : Returns the {{domxref("TrustedTypePolicyFactory")}} object associated with the global object in the main thread. + This is the entry point for using the API in the Window thread. +- {{domxref("WorkerGlobalScope.trustedTypes")}}. + - : Returns the {{domxref("TrustedTypePolicyFactory")}} object associated with the global object in a worker. + +### Extensions to HTTP + +#### `Content-Security-Policy` directives + +- {{CSP("require-trusted-types-for")}} + - : Enforces that [Trusted Types](/en-US/docs/Web/API/Trusted_Types_API) are passed to DOM XSS [injection sinks](/en-US/docs/Web/API/Trusted_Types_API#concepts_and_usage). +- {{CSP("trusted-types")}} + - : Used to specify an allowlist of [Trusted Types](/en-US/docs/Web/API/Trusted_Types_API) policy names. + +#### `Content-Security-Policy` keywords + +- [`trusted-types-eval`](/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy#trusted-types-eval) + - : Allows [`eval()`](/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval) and similar functions to be used but only when [Trusted Types](/en-US/docs/Web/API/Trusted_Types_API) are supported and enforced. + ## Examples In the below example we create a policy that will create {{domxref("TrustedHTML")}} objects using {{domxref("TrustedTypePolicyFactory.createPolicy()")}}. We can then use {{domxref("TrustedTypePolicy.createHTML()")}} to create a sanitized HTML string to be inserted into the document. diff --git a/files/en-us/web/http/guides/csp/index.md b/files/en-us/web/http/guides/csp/index.md index 6d242d928845cbf..3cc707774a1aa57 100644 --- a/files/en-us/web/http/guides/csp/index.md +++ b/files/en-us/web/http/guides/csp/index.md @@ -329,7 +329,11 @@ Like inline JavaScript, if a CSP contains either a `default-src` or a `script-sr setTimeout("console.log('hello from setTimeout')", 1); ``` -The `unsafe-eval` keyword can be used to override this behavior, and as with `unsafe-inline`, and for the same reasons: **developers should avoid `unsafe-eval`**. Sometimes it can be difficult to remove usages of `eval()`: in these situations, the [Trusted Types API](/en-US/docs/Web/API/Trusted_Types_API) can make it safer, by ensuring that the input meets a defined policy. +The `unsafe-eval` keyword can be used to override this behavior, and as with `unsafe-inline`, and for the same reasons: **developers should avoid `unsafe-eval`**. + +Sometimes it can be difficult to remove usages of `eval()` and the other methods: in these situations, the [Trusted Types API](/en-US/docs/Web/API/Trusted_Types_API) can make it safer, by ensuring that the input meets a defined policy. +The `trusted-types-eval` keyword should be used to override the behavior in this case. +Unlike `unsafe-inline` it only overrides the behavior in browser when trusted types are supported and enabled; which ensures that the methods will remain blocked on browsers that don't support trusted types. Unlike `unsafe-inline`, the `unsafe-eval` keyword does still work in a directive that contains nonce or hash expressions. diff --git a/files/en-us/web/http/reference/headers/content-security-policy/index.md b/files/en-us/web/http/reference/headers/content-security-policy/index.md index 0188146485e73de..9f60d6e334ec677 100644 --- a/files/en-us/web/http/reference/headers/content-security-policy/index.md +++ b/files/en-us/web/http/reference/headers/content-security-policy/index.md @@ -159,10 +159,8 @@ Reporting directives control the destination URL for CSP violation reports in `C - : Used to specify an allowlist of [Trusted Types](/en-US/docs/Web/API/Trusted_Types_API) policies. Trusted Types allows applications to lock down DOM XSS injection sinks to only accept non-spoofable, typed values in place of strings. - {{CSP("upgrade-insecure-requests")}} - - : Instructs user agents to treat all of a site's insecure URLs (those served over - HTTP) as though they have been replaced with secure URLs (those served over HTTPS). - This directive is intended for websites with large numbers of insecure legacy URLs - that need to be rewritten. + - : Instructs user agents to treat all of a site's insecure URLs (those served over HTTP) as though they have been replaced with secure URLs (those served over HTTPS). + This directive is intended for websites with large numbers of insecure legacy URLs that need to be rewritten. ### Deprecated directives @@ -272,14 +270,33 @@ Secure upgrades are allowed. For example: - If the document is served from `http://example.com`, then a CSP of `'self'` will also permit resources from `https://example.com`. - If the document is served from `ws://example.org`, then a CSP of `'self'` will also permit resources from `wss://example.org`. +### 'trusted-types-eval' + +By default, if a CSP contains a `default-src` or a `script-src` directive, then JavaScript functions which evaluate their arguments as JavaScript are disabled. +This includes [`eval()`](/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval), the [`code`](/en-US/docs/Web/API/Window/setTimeout#code) argument to {{domxref("Window.setTimeout()", "setTimeout()")}}, or the {{jsxref("Function/Function()", "Function()")}} constructor. + +The `trusted-types-eval` keyword can be used to undo this protection, but only when [Trusted Types](/en-US/docs/Web/API/Trusted_Types_API) are enforced and passed to these functions instead of strings. +This allows dynamic evaluation of strings as JavaScript, but only after inputs have been passed through a transformation function before it is injected, which has the chance to [sanitize](/en-US/docs/Web/Security/Attacks/XSS#sanitization) the input to remove potentially dangerous markup. + +The `trusted-types-eval` must be used instead of [`'unsafe-eval'`](#unsafe-eval) when using these methods with trusted types. +This ensures that access to the methods is blocked on browsers that don't support trusted types. + +> [!NOTE] +> Developers should avoid using `trusted-types-eval` or these methods unless absolutely necessary. +> Trusted types ensure that the input passes through a transformation function — they don't ensure that the transformation makes the input safe (and this can be very hard to get right). + +See [`eval()` and similar APIs](/en-US/docs/Web/HTTP/Guides/CSP#eval_and_similar_apis) in the CSP guide for more usage information. + ### 'unsafe-eval' -By default, if a CSP contains a `default-src` or a `script-src` directive, then JavaScript functions which evaluate their arguments as JavaScript are disabled. This includes [`eval()`](/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval), the [`code`](/en-US/docs/Web/API/Window/setTimeout#code) argument to {{domxref("Window.setTimeout()", "setTimeout()")}}, or the {{jsxref("Function/Function()", "Function()")}} constructor. +By default, if a CSP contains a `default-src` or a `script-src` directive, then JavaScript functions which evaluate their arguments as JavaScript are disabled. +This includes [`eval()`](/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval), the [`code`](/en-US/docs/Web/API/Window/setTimeout#code) argument to {{domxref("Window.setTimeout()", "setTimeout()")}}, or the {{jsxref("Function/Function()", "Function()")}} constructor. The `unsafe-eval` keyword can be used to undo this protection, allowing dynamic evaluation of strings as JavaScript. > [!WARNING] > Developers should avoid `'unsafe-eval'`, because it defeats much of the purpose of having a CSP. +> ['trusted-types-eval'](#trusted-types-eval) provides a "potentially" safer alternative if using these methods is necessary. See [`eval()` and similar APIs](/en-US/docs/Web/HTTP/Guides/CSP#eval_and_similar_apis) in the CSP guide for more usage information. From 2ab902d9eec2f5a93d1f666234371ca77e93c470 Mon Sep 17 00:00:00 2001 From: MDN Web Docs GitHub Bot <108879845+mdn-bot@users.noreply.github.com> Date: Mon, 3 Nov 2025 01:29:15 +0100 Subject: [PATCH 3/3] fix: auto-cleanup by bot (#41785) * chore: auto-fix Markdownlint, Prettier, and front-matter issues * More fixes --------- Co-authored-by: Joshua Chen --- .vscode/dictionaries/code-entities.txt | 1 + .vscode/dictionaries/proper-names.txt | 1 + .../environment_setup/installing_software/index.md | 2 +- files/en-us/web/css/@font-palette-values/base-palette/index.md | 2 +- files/en-us/web/css/@font-palette-values/font-family/index.md | 2 +- .../en-us/web/css/@font-palette-values/override-colors/index.md | 2 +- files/en-us/web/http/guides/user-agent_reduction/index.md | 2 +- files/en-us/web/javascript/reference/operators/import/index.md | 2 +- 8 files changed, 8 insertions(+), 6 deletions(-) diff --git a/.vscode/dictionaries/code-entities.txt b/.vscode/dictionaries/code-entities.txt index 75646f977b16598..0747be913f43d83 100644 --- a/.vscode/dictionaries/code-entities.txt +++ b/.vscode/dictionaries/code-entities.txt @@ -197,6 +197,7 @@ dweb ebuttm ebutts ECLF +EdgiOS ehtml EISU elementname diff --git a/.vscode/dictionaries/proper-names.txt b/.vscode/dictionaries/proper-names.txt index 255e5e47e6c7947..14504fb3f3bbe94 100644 --- a/.vscode/dictionaries/proper-names.txt +++ b/.vscode/dictionaries/proper-names.txt @@ -526,6 +526,7 @@ Scrimba Seamonkey Serpentina Shadeed +Sharma Shilpa Shinoda Shireen diff --git a/files/en-us/learn_web_development/getting_started/environment_setup/installing_software/index.md b/files/en-us/learn_web_development/getting_started/environment_setup/installing_software/index.md index 35a7c44eed31a67..ed504eae3fdee3f 100644 --- a/files/en-us/learn_web_development/getting_started/environment_setup/installing_software/index.md +++ b/files/en-us/learn_web_development/getting_started/environment_setup/installing_software/index.md @@ -95,7 +95,7 @@ There are many free software tools and online services that will probably be goo - The built-in Windows [Photos app](https://support.microsoft.com/en-gb/windows/manage-photos-and-videos-with-microsoft-photos-app-c0c6422f-d4cb-2e3d-eb65-7069071b2f9b) comes with many similar features. - The [tinypng](https://tinypng.com/) website, provides a free service allowing you to compress PNGs, JPEGs, and more. This is a very common task you'll have to do when preparing assets for use on a website. -In terms of commercial offerings, [Adobe Photoshop](https://www.adobe.com/products/photoshop.html) has long been the industry standard especially for photo editing, while programs like [Sketch](https://www.sketch.com/) are better suited to icon and UI work. There are also popular newcomers such as [Figma](https://www.figma.com/), [The Affinity Suite](https://affinity.serif.com/en-us/), and [Canva](https://www.canva.com/). +In terms of commercial offerings, [Adobe Photoshop](https://www.adobe.com/products/photoshop.html) has long been the industry standard especially for photo editing, while programs like [Sketch](https://www.sketch.com/) are better suited to icon and UI work. There are also popular newcomers such as [Figma](https://www.figma.com/), [The Affinity Suite](https://www.affinity.studio/), and [Canva](https://www.canva.com/). Most of the above apps have trials or free modes there are worth exploring. There are also some well-regarded free apps available such as [GIMP](https://www.gimp.org/), [Adobe Express](https://www.adobe.com/express/), and [Paint.NET](https://www.getpaint.net/). diff --git a/files/en-us/web/css/@font-palette-values/base-palette/index.md b/files/en-us/web/css/@font-palette-values/base-palette/index.md index 7344249c6ec12bd..0b689f243794044 100644 --- a/files/en-us/web/css/@font-palette-values/base-palette/index.md +++ b/files/en-us/web/css/@font-palette-values/base-palette/index.md @@ -93,5 +93,5 @@ h2 { - {{cssxref("@font-palette-values/", "@font-palette-values")}} - {{cssxref("@font-palette-values/font-family", "font-family")}} descriptor - {{cssxref("@font-palette-values/override-colors", "override-colors")}} descriptor -- {{cssxref("font-palette/", "font-palette")}} property +- {{cssxref("font-palette")}} property - {{domxref("CSSFontPaletteValuesRule.basePalette")}} diff --git a/files/en-us/web/css/@font-palette-values/font-family/index.md b/files/en-us/web/css/@font-palette-values/font-family/index.md index f73970505c38bf7..e227877a05225db 100644 --- a/files/en-us/web/css/@font-palette-values/font-family/index.md +++ b/files/en-us/web/css/@font-palette-values/font-family/index.md @@ -111,5 +111,5 @@ h2 { - {{cssxref("@font-face/font-family", "font-family")}} - {{cssxref("@font-palette-values/", "@font-palette-values")}} - {{cssxref("@font-palette-values/override-colors", "override-colors")}} descriptor -- {{cssxref("font-palette/", "font-palette")}} property +- {{cssxref("font-palette")}} property - {{domxref("CSSFontPaletteValuesRule.fontFamily")}} diff --git a/files/en-us/web/css/@font-palette-values/override-colors/index.md b/files/en-us/web/css/@font-palette-values/override-colors/index.md index 7d64821d734d292..d276415f0948d3b 100644 --- a/files/en-us/web/css/@font-palette-values/override-colors/index.md +++ b/files/en-us/web/css/@font-palette-values/override-colors/index.md @@ -168,5 +168,5 @@ This example shows that in `base-palette` `3`, the color at index 0 is overridde - {{cssxref("@font-palette-values/", "@font-palette-values")}} - {{cssxref("@font-palette-values/base-palette", "base-palette")}} - {{cssxref("@font-palette-values/font-family", "font-family")}} -- {{cssxref("font-palette/", "font-palette")}} +- {{cssxref("font-palette")}} - {{domxref("CSSFontPaletteValuesRule.overrideColors")}} diff --git a/files/en-us/web/http/guides/user-agent_reduction/index.md b/files/en-us/web/http/guides/user-agent_reduction/index.md index 46e357538194b2a..85aac6cbe3bcc03 100644 --- a/files/en-us/web/http/guides/user-agent_reduction/index.md +++ b/files/en-us/web/http/guides/user-agent_reduction/index.md @@ -68,7 +68,7 @@ The major browser version number shows correctly, but the minor version numbers ## Requesting UA information via client hints -You may still have code that relies on detailed UA string data, which can't be coverted to use feature detection or progressive enhancement. Examples include fine-grained logging, fraud prevention measures, or a software help site that serves different content based on the user's device type. +You may still have code that relies on detailed UA string data, which can't be converted to use feature detection or progressive enhancement. Examples include fine-grained logging, fraud prevention measures, or a software help site that serves different content based on the user's device type. If this is the case, you can still access detailed UA string data via [`Sec-CH-UA-*`](/en-US/docs/Web/HTTP/Reference/Headers#user_agent_client_hints) headers (also known as **User-Agent client hints**). The headers provide a safer, more privacy-preserving way to send such information because servers have to opt in to the pieces of information they want, rather it being sent all the time through the `User-Agent` string. It also provides access to a wider selection of information. diff --git a/files/en-us/web/javascript/reference/operators/import/index.md b/files/en-us/web/javascript/reference/operators/import/index.md index 92b258e91754a06..630921a625ab55e 100644 --- a/files/en-us/web/javascript/reference/operators/import/index.md +++ b/files/en-us/web/javascript/reference/operators/import/index.md @@ -118,7 +118,7 @@ Note that this can lead to memory leaks in a long-running application, because t You can also use the [Fetch API](/en-US/docs/Web/API/Fetch_API) to fetch module source code as text, and then evaluate the module manually depending on the module type: -- For JavaScript modules, you can dynamically import the source code as a [`blob:` URL](/en-US/docs/Web/API/URL/createObjectURL) in browsers, or use [`vm.Module`](/en-US/docs/Web/Node.js/vm/Module) to evaluate it in Node.js. +- For JavaScript modules, you can dynamically import the source code as a [`blob:` URL](/en-US/docs/Web/API/URL/createObjectURL_static) in browsers, or use [`vm.Module`](https://nodejs.org/docs/latest/api/vm.html#class-vmmodule) to evaluate it in Node.js. - For JSON modules, you can parse the source code using {{jsxref("JSON.parse()")}}. - For CSS modules, you can create a new {{domxref("CSSStyleSheet")}} object and use its [`replace()`](/en-US/docs/Web/API/CSSStyleSheet/replace) method to populate it with the source code.