diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml
index 070b25ba71797ec..9bf9f0ab247b098 100644
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -9,9 +9,9 @@ contact_links:
- name: MDN GitHub Discussions
url: https://github.com/orgs/mdn/discussions
about: Does the issue involve a lot of pages, or are you not sure how it can be split into actionable tasks? Consider starting a discussion first.
- - name: MDN Web Docs on Discourse
- url: https://discourse.mozilla.org/c/mdn/learn/250
- about: Need help with assessments on MDN Web Docs? We have a support community for this purpose on Discourse.
+ - name: MDN Web Docs Community Discord server
+ url: http://mdn.dev/discord
+ about: Want to chat about your work or how to contribute to MDN? Join us on Discord!
- name: Help with code
url: https://stackoverflow.com/
about: If you are stuck and need help with code, StackOverflow is a great resource.
diff --git a/.vscode/dictionaries/terms-abbreviations.txt b/.vscode/dictionaries/terms-abbreviations.txt
index 7557b06c94086dd..0366c8c50e0fda6 100644
--- a/.vscode/dictionaries/terms-abbreviations.txt
+++ b/.vscode/dictionaries/terms-abbreviations.txt
@@ -25,6 +25,7 @@ arcseconds
ARGB
arsinh
artanh
+ASACP
ASCAP
ascendingly
ASCIIID
diff --git a/files/en-us/glossary/nonce/index.md b/files/en-us/glossary/nonce/index.md
new file mode 100644
index 000000000000000..13cbcf6f9d1f3b0
--- /dev/null
+++ b/files/en-us/glossary/nonce/index.md
@@ -0,0 +1,24 @@
+---
+title: Nonce
+slug: Glossary/Nonce
+page-type: glossary-definition
+sidebar: glossarysidebar
+---
+
+In cryptography and computer security, a **`nonce`** is an arbitrary number that is used **only once** in a cryptographic communication. The term is derived from "number used once" and is commonly employed to prevent replay attacks, ensure message freshness, and add randomness to cryptographic protocols.
+
+Nonces are frequently used in authentication protocols, encryption schemes, hashing, and digital signatures. They may be generated randomly or pseudo-randomly, or derived deterministically, depending on the application and security requirements.
+
+In web security, nonces are commonly used in mechanisms such as **Content Security Policy (CSP)** to allow specific scripts to execute while preventing cross-site scripting (XSS) attacks. In cryptographic protocols like {{Glossary("TLS")}}, nonces help ensure that each session is unique.
+
+## See also
+
+- [Cryptographic nonce](https://en.wikipedia.org/wiki/Cryptographic_nonce) on Wikipedia
+- [Content Security Policy (CSP)](/en-US/docs/Web/HTTP/CSP)
+- [Replay attack](https://en.wikipedia.org/wiki/Replay_attack) on Wikipedia
+- Related glossary terms:
+ - {{Glossary("cryptography")}}
+ - {{Glossary("encryption")}}
+ - {{Glossary("hash")}}
+ - {{Glossary("TLS")}}
+ - {{Glossary("authentication")}}
diff --git a/files/en-us/glossary/replay_attack/index.md b/files/en-us/glossary/replay_attack/index.md
index 221a35cda3b3a6a..7bd554af3ff7819 100644
--- a/files/en-us/glossary/replay_attack/index.md
+++ b/files/en-us/glossary/replay_attack/index.md
@@ -7,7 +7,7 @@ sidebar: glossarysidebar
In web security, a _replay attack_ happens when an attacker intercepts a previously-sent message and resends it later to get the same credentials as the original message, potentially with a different payload or instruction.
-Replay attacks can be prevented by including a unique, single-use identifier with each message that the receiver can use to verify the authenticity of the transmission. This identifier can take the form of a session token or "number used only once" ("nonce").
+Replay attacks can be prevented by including a unique, single-use identifier with each message that the receiver can use to verify the authenticity of the transmission. This identifier can take the form of a session token or "number used only once" ({{Glossary("Nonce", "nonce")}}).
## See also
diff --git a/files/en-us/mozilla/firefox/experimental_features/index.md b/files/en-us/mozilla/firefox/experimental_features/index.md
index 67698ac6782d628..abeae76f30b7b60 100644
--- a/files/en-us/mozilla/firefox/experimental_features/index.md
+++ b/files/en-us/mozilla/firefox/experimental_features/index.md
@@ -384,21 +384,7 @@ The [`@custom-media`](/en-US/docs/Web/CSS/Reference/At-rules/@custom-media) CSS
## JavaScript
-### CSS module scripts
-
-CSS module scripts are now supported, allowing a stylesheet to be loaded into a script as a {{domxref("CSSStyleSheet")}} instance using the [`import`](/en-US/docs/Web/JavaScript/Reference/Statements/import) statement.
-The `import` statement must also specify the `type` [import attribute](/en-US/docs/Web/JavaScript/Reference/Statements/import/with) and set it to `"css"`, and the stylesheet must be served with the [media type](/en-US/docs/Web/HTTP/Guides/MIME_types) of `text/css`.
-([Firefox bug 1720570](https://bugzil.la/1720570)).
-
-| Release channel | Version added | Enabled by default? |
-| ----------------- | ------------- | ------------------- |
-| Nightly | 145 | No |
-| Developer Edition | No | No |
-| Beta | No | No |
-| Release | No | No |
-
-- `layout.css.module-scripts.enabled`
- - : Set to `true` to enable.
+**No experimental features in this release cycle.**
## APIs
@@ -743,7 +729,7 @@ The following `` elements are equivalent:
```
-Browsers that recognise this element can then take steps to restrict users from viewing the content. Firefox's implementation replaces the page with the content found at `about:restricted`, which explains to the user that they are trying to view restricted content, explains why they cannot view it, and gives them a back button to return from whence they came.
+Browsers that recognize this element can then take steps to restrict users from viewing the content. Firefox's implementation replaces the page with the content found at `about:restricted`, which explains to the user that they are trying to view restricted content, explains why they cannot view it, and gives them a back button to return from whence they came.
See [Firefox bug 1991135](https://bugzil.la/1991135) for more details.
diff --git a/files/en-us/mozilla/firefox/releases/146/index.md b/files/en-us/mozilla/firefox/releases/146/index.md
index 1b2cc8d6b2c6d19..34104ec18f0bd97 100644
--- a/files/en-us/mozilla/firefox/releases/146/index.md
+++ b/files/en-us/mozilla/firefox/releases/146/index.md
@@ -83,7 +83,7 @@ You can find more such features on the [Experimental features](/en-US/docs/Mozil
- **``** (Nightly): `security.restrict_to_adults.always` and `security.restrict_to_adults.respect_platform`
- The `` element allows websites to self-identify as restricted/adult content. Browsers that recognise this element can then take steps to restrict users from viewing the content. See [Restricting adult content with ``](/en-US/docs/Mozilla/Firefox/Experimental_features#restricting_adult_content_with_meta_namerating) for more details.
+ The `` element allows websites to self-identify as restricted/adult content. Browsers that recognize this element can then take steps to restrict users from viewing the content. See [Restricting adult content with ``](/en-US/docs/Mozilla/Firefox/Experimental_features#restricting_adult_content_with_meta_namerating) for more details.
([Firefox bug 1991135](https://bugzil.la/1991135)).
- **Navigation API** (Nightly): `dom.navigation.webidl.enabled`
diff --git a/files/en-us/mozilla/firefox/releases/147/index.md b/files/en-us/mozilla/firefox/releases/147/index.md
index ffb6557c40cab8f..b0bb30ce5a48c33 100644
--- a/files/en-us/mozilla/firefox/releases/147/index.md
+++ b/files/en-us/mozilla/firefox/releases/147/index.md
@@ -43,7 +43,10 @@ Firefox 147 is the current [Beta version of Firefox](https://www.firefox.com/en-
-
+### JavaScript
+
+- CSS module scripts are now supported, allowing a stylesheet to be loaded into a script as a {{domxref("CSSStyleSheet")}} instance using the [`import`](/en-US/docs/Web/JavaScript/Reference/Statements/import) keyword and the [`type` import attribute](/en-US/docs/Web/JavaScript/Reference/Statements/import/with) set to `type="css"`.
+ ([Firefox bug 1986681](https://bugzil.la/1986681)).
diff --git a/files/en-us/mozilla/firefox/releases/75/index.md b/files/en-us/mozilla/firefox/releases/75/index.md
index eb431db0d4c885a..3cbcc067ecbeb42 100644
--- a/files/en-us/mozilla/firefox/releases/75/index.md
+++ b/files/en-us/mozilla/firefox/releases/75/index.md
@@ -77,7 +77,7 @@ _No changes._
### Security
-- [CSP](/en-US/docs/Web/HTTP/Guides/CSP) nonces from non-script sources, such as CSS selectors, and `.getAttribute("nonce")` calls, are now hidden. Instead, check the [`.nonce`](/en-US/docs/Web/API/HTMLElement/nonce) property to access nonces from scripts ([Firefox bug 1374612](https://bugzil.la/1374612)).
+- [CSP](/en-US/docs/Web/HTTP/Guides/CSP) {{Glossary("Nonce", "nonces")}} from non-script sources, such as CSS selectors, and `.getAttribute("nonce")` calls, are now hidden. Instead, check the [`.nonce`](/en-US/docs/Web/API/HTMLElement/nonce) property to access nonces from scripts ([Firefox bug 1374612](https://bugzil.la/1374612)).
### Plugins
diff --git a/files/en-us/web/api/aesctrparams/index.md b/files/en-us/web/api/aesctrparams/index.md
index 37d5e5d99d89cd9..685c73b6bc836b6 100644
--- a/files/en-us/web/api/aesctrparams/index.md
+++ b/files/en-us/web/api/aesctrparams/index.md
@@ -18,7 +18,7 @@ A given counter block value must never be used more than once with the same key:
Typically this is achieved by splitting the initial counter block value into two concatenated parts:
-- A [nonce](https://en.wikipedia.org/wiki/Cryptographic_nonce) (that is, a number that may only be used once). The nonce part of the block stays the same for every block in the message. Each time a new message is to be encrypted, a new nonce is chosen. Nonces don't have to be secret, but they must not be reused with the same key.
+- A {{Glossary("Nonce", "nonce")}} (that is, a number that may only be used once). The nonce part of the block stays the same for every block in the message. Each time a new message is to be encrypted, a new nonce is chosen. Nonces don't have to be secret, but they must not be reused with the same key.
- A counter. This part of the block gets incremented each time a block is encrypted.
Essentially: the nonce should ensure that counter blocks are not reused from one message to the next, while the counter should ensure that counter blocks are not reused within a single message.
diff --git a/files/en-us/web/api/fedcm_api/rp_sign-in/index.md b/files/en-us/web/api/fedcm_api/rp_sign-in/index.md
index bbb55cbb3ce9d97..50740cee0ae1314 100644
--- a/files/en-us/web/api/fedcm_api/rp_sign-in/index.md
+++ b/files/en-us/web/api/fedcm_api/rp_sign-in/index.md
@@ -49,7 +49,7 @@ The `identity.providers` property takes an array containing one or more objects
The previous example also includes some optional features:
- `identity.context` specifies the context in which the user is authenticating with FedCM. For example, is it a first-time signup for this account, or a sign-in with an existing account? The browser uses this information to vary the text in its FedCM UI to better suit the context.
-- The `nonce` property provides a random nonce value that ensures the response is issued for this specific request, preventing {{glossary("replay attack", "replay attacks")}}.
+- The `nonce` property provides a random {{Glossary("Nonce")}} value that ensures the response is issued for this specific request, preventing {{glossary("replay attack", "replay attacks")}}.
- The `loginHint` property provides a hint about the account option(s) the browser should present for user sign-in. This hint is matched against the `login_hints` values that the IdP provides at the [accounts list endpoint](/en-US/docs/Web/API/FedCM_API/IDP_integration#the_accounts_list_endpoint).
The browser requests the IdP config files and carries out the sign-in flow detailed below. For more information on the kind of interaction a user might expect from the browser-supplied UI, see [Implement an identity solution with FedCM on the Relying Party side](https://developer.chrome.com/docs/identity/fedcm/implement/relying-party).
diff --git a/files/en-us/web/api/subtlecrypto/encrypt/index.md b/files/en-us/web/api/subtlecrypto/encrypt/index.md
index dcc2ec59bd4b3ed..f532a1061fb969a 100644
--- a/files/en-us/web/api/subtlecrypto/encrypt/index.md
+++ b/files/en-us/web/api/subtlecrypto/encrypt/index.md
@@ -85,7 +85,7 @@ A given counter block value must never be used more than once with the same key:
Typically this is achieved by splitting the initial counter block value into two concatenated parts:
-- A [nonce](https://en.wikipedia.org/wiki/Cryptographic_nonce) (that is, a number that may only be used once). The nonce part of the block stays the same for every block in the message. Each time a new message is to be encrypted, a new nonce is chosen. Nonces don't have to be secret, but they must not be reused with the same key.
+- A {{Glossary("Nonce", "nonce")}} (that is, a number that may only be used once). The nonce part of the block stays the same for every block in the message. Each time a new message is to be encrypted, a new nonce is chosen. Nonces don't have to be secret, but they must not be reused with the same key.
- A counter. This part of the block gets incremented each time a block is encrypted.
Essentially: the nonce should ensure that counter blocks are not reused from one message to the next, while the counter should ensure that counter blocks are not reused within a single message.
diff --git a/files/en-us/web/api/svgelement/nonce/index.md b/files/en-us/web/api/svgelement/nonce/index.md
index 91fd71630da7b54..0a7f5b1268b3958 100644
--- a/files/en-us/web/api/svgelement/nonce/index.md
+++ b/files/en-us/web/api/svgelement/nonce/index.md
@@ -8,7 +8,7 @@ browser-compat: api.SVGElement.nonce
{{APIRef("SVG")}}
-The **`nonce`** property of the {{DOMxRef("SVGElement")}} interface returns the nonce that is used by [Content Security Policy](/en-US/docs/Web/HTTP/Guides/CSP) to determine whether a given fetch will be allowed to proceed.
+The **`nonce`** property of the {{DOMxRef("SVGElement")}} interface returns the {{Glossary("Nonce", "nonce")}} that is used by [Content Security Policy](/en-US/docs/Web/HTTP/Guides/CSP) to determine whether a given fetch will be allowed to proceed.
## Value
diff --git a/files/en-us/web/api/websockets_api/index.md b/files/en-us/web/api/websockets_api/index.md
index 0a03bf0c13a4402..93845643de6d20c 100644
--- a/files/en-us/web/api/websockets_api/index.md
+++ b/files/en-us/web/api/websockets_api/index.md
@@ -37,7 +37,7 @@ Additionally, the [WebTransport API](/en-US/docs/Web/API/WebTransport_API) is ex
The HTTP headers are used in the [WebSocket handshake](/en-US/docs/Web/API/WebSockets_API/Writing_WebSocket_servers#the_websocket_handshake):
- {{HTTPHeader("Sec-WebSocket-Key")}}
- - : An HTTP request header that contains a nonce from the client.
+ - : An HTTP request header that contains a {{Glossary("Nonce", "nonce")}} from the client.
This is used in the [WebSocket opening handshake](/en-US/docs/Web/API/WebSockets_API/Writing_WebSocket_servers#the_websocket_handshake) to verify that the client explicitly intends to open a WebSocket.
It is added automatically by the browser.
- {{HTTPHeader("Sec-WebSocket-Accept")}}
diff --git a/files/en-us/web/html/reference/elements/script/index.md b/files/en-us/web/html/reference/elements/script/index.md
index ebbed1b8bf4e2ce..6ac9a944882d4ff 100644
--- a/files/en-us/web/html/reference/elements/script/index.md
+++ b/files/en-us/web/html/reference/elements/script/index.md
@@ -91,7 +91,7 @@ This element includes the [global attributes](/en-US/docs/Web/HTML/Reference/Glo
- `nomodule`
- : This Boolean attribute is set to indicate that the script should not be executed in browsers that support [ES modules](/en-US/docs/Web/JavaScript/Guide/Modules) — in effect, this can be used to serve fallback scripts to older browsers that do not support modular JavaScript code.
- `nonce`
- - : A cryptographic nonce (number used once) to allow scripts in a [script-src Content-Security-Policy](/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/script-src). The server must generate a unique nonce value each time it transmits a policy. It is critical to provide a nonce that cannot be guessed as bypassing a resource's policy is otherwise trivial.
+ - : A cryptographic {{Glossary("Nonce", "nonce")}} (number used once) to allow scripts in a [script-src Content-Security-Policy](/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/script-src). The server must generate a unique nonce value each time it transmits a policy. It is critical to provide a nonce that cannot be guessed as bypassing a resource's policy is otherwise trivial.
- `referrerpolicy`
- : Indicates which [referrer](/en-US/docs/Web/API/Document/referrer) to send when fetching the script, or resources fetched by the script:
- `no-referrer`: The {{HTTPHeader("Referer")}} header will not be sent.
diff --git a/files/en-us/web/html/reference/elements/style/index.md b/files/en-us/web/html/reference/elements/style/index.md
index a19093fa1e7135f..af8de834ed16ef6 100644
--- a/files/en-us/web/html/reference/elements/style/index.md
+++ b/files/en-us/web/html/reference/elements/style/index.md
@@ -56,7 +56,7 @@ This element includes the [global attributes](/en-US/docs/Web/HTML/Reference/Glo
- `media`
- : This attribute defines which media the style should be applied to. Its value is a [media query](/en-US/docs/Web/CSS/Guides/Media_queries/Using), which defaults to `all` if the attribute is missing.
- `nonce`
- - : A cryptographic nonce (number used once) used to allow inline styles in a [style-src Content-Security-Policy](/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/style-src). The server must generate a unique nonce value each time it transmits a policy. It is critical to provide a nonce that cannot be guessed as bypassing a resource's policy is otherwise trivial.
+ - : A cryptographic {{Glossary("Nonce", "nonce")}} (number used once) used to allow inline styles in a [style-src Content-Security-Policy](/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/style-src). The server must generate a unique nonce value each time it transmits a policy. It is critical to provide a nonce that cannot be guessed as bypassing a resource's policy is otherwise trivial.
- `title`
- : This attribute specifies [alternative style sheet](/en-US/docs/Web/HTML/Reference/Attributes/rel/alternate_stylesheet) sets.
diff --git a/files/en-us/web/html/reference/global_attributes/index.md b/files/en-us/web/html/reference/global_attributes/index.md
index 7b1c9679f4fc6be..37bdf5ce8173722 100644
--- a/files/en-us/web/html/reference/global_attributes/index.md
+++ b/files/en-us/web/html/reference/global_attributes/index.md
@@ -81,7 +81,7 @@ In addition to the basic HTML global attributes, the following global attributes
- [`lang`](/en-US/docs/Web/HTML/Reference/Global_attributes/lang)
- : Helps define the language of an element: the language that non-editable elements are in, or the language that editable elements should be written in by the user. The attribute should contain a valid {{glossary("BCP 47 language tag")}}. `xml:lang` has priority over it.
- [`nonce`](/en-US/docs/Web/HTML/Reference/Global_attributes/nonce)
- - : A cryptographic nonce ("number used once") which can be used by [Content Security Policy](/en-US/docs/Web/HTTP/Guides/CSP) to determine whether or not a given fetch will be allowed to proceed.
+ - : A cryptographic {{Glossary("Nonce", "nonce")}} ("number used once") which can be used by [Content Security Policy](/en-US/docs/Web/HTTP/Guides/CSP) to determine whether or not a given fetch will be allowed to proceed.
- [`part`](/en-US/docs/Web/HTML/Reference/Global_attributes/part)
- : A space-separated list of the part names of the element. Part names allows CSS to select and style specific elements in a shadow tree via the {{CSSxRef("::part")}} pseudo-element.
- [`popover`](/en-US/docs/Web/HTML/Reference/Global_attributes/popover)
diff --git a/files/en-us/web/html/reference/global_attributes/nonce/index.md b/files/en-us/web/html/reference/global_attributes/nonce/index.md
index fa0d3cb315c4774..aff2d09548fc98c 100644
--- a/files/en-us/web/html/reference/global_attributes/nonce/index.md
+++ b/files/en-us/web/html/reference/global_attributes/nonce/index.md
@@ -8,7 +8,7 @@ sidebar: htmlsidebar
---
The **`nonce`** [global attribute](/en-US/docs/Web/HTML/Reference/Global_attributes)
-is a content attribute defining a cryptographic nonce ("number used once") which can be used by
+is a content attribute defining a cryptographic {{Glossary("Nonce", "nonce")}} ("number used once") which can be used by
[Content Security Policy](/en-US/docs/Web/HTTP/Guides/CSP) to determine whether or not a given fetch will
be allowed to proceed for a given element.
diff --git a/files/en-us/web/http/guides/csp/errors/index.md b/files/en-us/web/http/guides/csp/errors/index.md
index 4fcb5a99bc88aa3..161f92e979ff4fc 100644
--- a/files/en-us/web/http/guides/csp/errors/index.md
+++ b/files/en-us/web/http/guides/csp/errors/index.md
@@ -21,7 +21,7 @@ When you see any of the following messages logged in the browser devtools consol
- Ignoring "%1$S" within script-src or style-src: nonce-source or hash-source specified
- Ignoring "%1$S" within script-src: 'strict-dynamic' specified
- Ignoring source "%1$S" (Only supported within script-src).
-- Keyword 'strict-dynamic' within "%1$S" with no valid nonce or hash might block all scripts from loading
+- Keyword 'strict-dynamic' within "%1$S" with no valid {{Glossary("Nonce", "nonce")}} or hash might block all scripts from loading
- The report URI (%1$S) should be an HTTP or HTTPS URI.
- This site (%1$S) has a Report-Only policy without a report URI. CSP will not block and cannot report violations of this policy.
- Failed to parse unrecognized source %1$S
diff --git a/files/en-us/web/http/guides/csp/index.md b/files/en-us/web/http/guides/csp/index.md
index 3cae2b30946dfad..2442516090c665f 100644
--- a/files/en-us/web/http/guides/csp/index.md
+++ b/files/en-us/web/http/guides/csp/index.md
@@ -101,7 +101,7 @@ A CSP can provide protection against all of these. With a CSP, you can:
- define the permitted sources for JavaScript files and other resources, effectively blocking loads from `https://evil.example.com`
- disable inline script tags
-- allow only script tags which have the correct nonce or hash set
+- allow only script tags which have the correct {{Glossary("Nonce", "nonce")}} or hash set
- disable inline event handlers
- disable `javascript:` URLs
- disable dangerous APIs like `eval()`
diff --git a/files/en-us/web/http/guides/iframe_credentialless/index.md b/files/en-us/web/http/guides/iframe_credentialless/index.md
index 7eba4434ad0fe82..2b2707986ea381e 100644
--- a/files/en-us/web/http/guides/iframe_credentialless/index.md
+++ b/files/en-us/web/http/guides/iframe_credentialless/index.md
@@ -54,7 +54,7 @@ iframeElem.src =
> [!NOTE]
> The {{domxref("window.credentialless")}} property can be queried by a document embedded in an `