[pull] main from mdn:main

.github/ISSUE_TEMPLATE/config.yml

@@ -9,9 +9,9 @@ contact_links:
   - name: MDN GitHub Discussions
     url: https://github.com/orgs/mdn/discussions
     about: Does the issue involve a lot of pages, or are you not sure how it can be split into actionable tasks? Consider starting a discussion first.
-  - name: MDN Web Docs on Discourse
-    url: https://discourse.mozilla.org/c/mdn/learn/250
-    about: Need help with assessments on MDN Web Docs? We have a support community for this purpose on Discourse.
+  - name: MDN Web Docs Community Discord server
+    url: http://mdn.dev/discord
+    about: Want to chat about your work or how to contribute to MDN? Join us on Discord!
   - name: Help with code
     url: https://stackoverflow.com/
     about: If you are stuck and need help with code, StackOverflow is a great resource.

.vscode/dictionaries/terms-abbreviations.txt

@@ -25,6 +25,7 @@ arcseconds
 ARGB
 arsinh
 artanh
+ASACP
 ASCAP
 ascendingly
 ASCIIID

files/en-us/glossary/nonce/index.md

@@ -0,0 +1,24 @@
+---
+title: Nonce
+slug: Glossary/Nonce
+page-type: glossary-definition
+sidebar: glossarysidebar
+---
+
+In cryptography and computer security, a **`nonce`** is an arbitrary number that is used **only once** in a cryptographic communication. The term is derived from "number used once" and is commonly employed to prevent replay attacks, ensure message freshness, and add randomness to cryptographic protocols.
+
+Nonces are frequently used in authentication protocols, encryption schemes, hashing, and digital signatures. They may be generated randomly or pseudo-randomly, or derived deterministically, depending on the application and security requirements.
+
+In web security, nonces are commonly used in mechanisms such as **Content Security Policy (CSP)** to allow specific scripts to execute while preventing cross-site scripting (XSS) attacks. In cryptographic protocols like {{Glossary("TLS")}}, nonces help ensure that each session is unique.
+
+## See also
+
+- [Cryptographic nonce](https://en.wikipedia.org/wiki/Cryptographic_nonce) on Wikipedia
+- [Content Security Policy (CSP)](/en-US/docs/Web/HTTP/CSP)
+- [Replay attack](https://en.wikipedia.org/wiki/Replay_attack) on Wikipedia
+- Related glossary terms:
+  - {{Glossary("cryptography")}}
+  - {{Glossary("encryption")}}
+  - {{Glossary("hash")}}
+  - {{Glossary("TLS")}}
+  - {{Glossary("authentication")}}

files/en-us/glossary/replay_attack/index.md

@@ -7,7 +7,7 @@ sidebar: glossarysidebar
 
 In web security, a _replay attack_ happens when an attacker intercepts a previously-sent message and resends it later to get the same credentials as the original message, potentially with a different payload or instruction.
 
-Replay attacks can be prevented by including a unique, single-use identifier with each message that the receiver can use to verify the authenticity of the transmission. This identifier can take the form of a session token or "number used only once" ("nonce").
+Replay attacks can be prevented by including a unique, single-use identifier with each message that the receiver can use to verify the authenticity of the transmission. This identifier can take the form of a session token or "number used only once" ({{Glossary("Nonce", "nonce")}}).
 
 ## See also
 

files/en-us/mozilla/firefox/experimental_features/index.md

@@ -384,21 +384,7 @@ The [`@custom-media`](/en-US/docs/Web/CSS/Reference/At-rules/@custom-media) CSS
 
 ## JavaScript
 
-### CSS module scripts
-
-CSS module scripts are now supported, allowing a stylesheet to be loaded into a script as a {{domxref("CSSStyleSheet")}} instance using the [`import`](/en-US/docs/Web/JavaScript/Reference/Statements/import) statement.
-The `import` statement must also specify the `type` [import attribute](/en-US/docs/Web/JavaScript/Reference/Statements/import/with) and set it to `"css"`, and the stylesheet must be served with the [media type](/en-US/docs/Web/HTTP/Guides/MIME_types) of `text/css`.
-([Firefox bug 1720570](https://bugzil.la/1720570)).
-
-| Release channel   | Version added | Enabled by default? |
-| ----------------- | ------------- | ------------------- |
-| Nightly           | 145           | No                  |
-| Developer Edition | No            | No                  |
-| Beta              | No            | No                  |
-| Release           | No            | No                  |
-
-- `layout.css.module-scripts.enabled`
-  - : Set to `true` to enable.
+**No experimental features in this release cycle.**
 
 ## APIs
 
@@ -743,7 +729,7 @@ The following `<meta>` elements are equivalent:
 <meta name="rating" content="RTA-5042-1996-1400-1577-RTA" />
 ```
 
-Browsers that recognise this element can then take steps to restrict users from viewing the content. Firefox's implementation replaces the page with the content found at `about:restricted`, which explains to the user that they are trying to view restricted content, explains why they cannot view it, and gives them a back button to return from whence they came.
+Browsers that recognize this element can then take steps to restrict users from viewing the content. Firefox's implementation replaces the page with the content found at `about:restricted`, which explains to the user that they are trying to view restricted content, explains why they cannot view it, and gives them a back button to return from whence they came.
 
 See [Firefox bug 1991135](https://bugzil.la/1991135) for more details.
 

files/en-us/mozilla/firefox/releases/146/index.md

@@ -83,7 +83,7 @@ You can find more such features on the [Experimental features](/en-US/docs/Mozil
 
 - **`<meta name="rating">`** (Nightly): `security.restrict_to_adults.always` and `security.restrict_to_adults.respect_platform`
 
-  The `<meta name="rating">` element allows websites to self-identify as restricted/adult content. Browsers that recognise this element can then take steps to restrict users from viewing the content. See [Restricting adult content with `<meta name="rating">`](/en-US/docs/Mozilla/Firefox/Experimental_features#restricting_adult_content_with_meta_namerating) for more details.
+  The `<meta name="rating">` element allows websites to self-identify as restricted/adult content. Browsers that recognize this element can then take steps to restrict users from viewing the content. See [Restricting adult content with `<meta name="rating">`](/en-US/docs/Mozilla/Firefox/Experimental_features#restricting_adult_content_with_meta_namerating) for more details.
   ([Firefox bug 1991135](https://bugzil.la/1991135)).
 
 - **Navigation API** (Nightly): `dom.navigation.webidl.enabled`

files/en-us/mozilla/firefox/releases/147/index.md

@@ -43,7 +43,10 @@ Firefox 147 is the current [Beta version of Firefox](https://www.firefox.com/en-
 
 <!-- #### Removals -->
 
-<!-- ### JavaScript -->
+### JavaScript
+
+- CSS module scripts are now supported, allowing a stylesheet to be loaded into a script as a {{domxref("CSSStyleSheet")}} instance using the [`import`](/en-US/docs/Web/JavaScript/Reference/Statements/import) keyword and the [`type` import attribute](/en-US/docs/Web/JavaScript/Reference/Statements/import/with) set to `type="css"`.
+  ([Firefox bug 1986681](https://bugzil.la/1986681)).
 
 <!-- No notable changes. -->
 

files/en-us/mozilla/firefox/releases/75/index.md

@@ -77,7 +77,7 @@ _No changes._
 
 ### Security
 
-- [CSP](/en-US/docs/Web/HTTP/Guides/CSP) nonces from non-script sources, such as CSS selectors, and `.getAttribute("nonce")` calls, are now hidden. Instead, check the [`.nonce`](/en-US/docs/Web/API/HTMLElement/nonce) property to access nonces from scripts ([Firefox bug 1374612](https://bugzil.la/1374612)).
+- [CSP](/en-US/docs/Web/HTTP/Guides/CSP) {{Glossary("Nonce", "nonces")}} from non-script sources, such as CSS selectors, and `.getAttribute("nonce")` calls, are now hidden. Instead, check the [`.nonce`](/en-US/docs/Web/API/HTMLElement/nonce) property to access nonces from scripts ([Firefox bug 1374612](https://bugzil.la/1374612)).
 
 ### Plugins
 

files/en-us/web/api/aesctrparams/index.md

@@ -18,7 +18,7 @@ A given counter block value must never be used more than once with the same key:
 
 Typically this is achieved by splitting the initial counter block value into two concatenated parts:
 
-- A [nonce](https://en.wikipedia.org/wiki/Cryptographic_nonce) (that is, a number that may only be used once). The nonce part of the block stays the same for every block in the message. Each time a new message is to be encrypted, a new nonce is chosen. Nonces don't have to be secret, but they must not be reused with the same key.
+- A {{Glossary("Nonce", "nonce")}} (that is, a number that may only be used once). The nonce part of the block stays the same for every block in the message. Each time a new message is to be encrypted, a new nonce is chosen. Nonces don't have to be secret, but they must not be reused with the same key.
 - A counter. This part of the block gets incremented each time a block is encrypted.
 
 Essentially: the nonce should ensure that counter blocks are not reused from one message to the next, while the counter should ensure that counter blocks are not reused within a single message.

files/en-us/web/api/fedcm_api/rp_sign-in/index.md

@@ -49,7 +49,7 @@ The `identity.providers` property takes an array containing one or more objects
 The previous example also includes some optional features:
 
 - `identity.context` specifies the context in which the user is authenticating with FedCM. For example, is it a first-time signup for this account, or a sign-in with an existing account? The browser uses this information to vary the text in its FedCM UI to better suit the context.
-- The `nonce` property provides a random nonce value that ensures the response is issued for this specific request, preventing {{glossary("replay attack", "replay attacks")}}.
+- The `nonce` property provides a random {{Glossary("Nonce")}} value that ensures the response is issued for this specific request, preventing {{glossary("replay attack", "replay attacks")}}.
 - The `loginHint` property provides a hint about the account option(s) the browser should present for user sign-in. This hint is matched against the `login_hints` values that the IdP provides at the [accounts list endpoint](/en-US/docs/Web/API/FedCM_API/IDP_integration#the_accounts_list_endpoint).
 
 The browser requests the IdP config files and carries out the sign-in flow detailed below. For more information on the kind of interaction a user might expect from the browser-supplied UI, see [Implement an identity solution with FedCM on the Relying Party side](https://developer.chrome.com/docs/identity/fedcm/implement/relying-party).

files/en-us/web/api/subtlecrypto/encrypt/index.md

@@ -85,7 +85,7 @@ A given counter block value must never be used more than once with the same key:
 
 Typically this is achieved by splitting the initial counter block value into two concatenated parts:
 
-- A [nonce](https://en.wikipedia.org/wiki/Cryptographic_nonce) (that is, a number that may only be used once). The nonce part of the block stays the same for every block in the message. Each time a new message is to be encrypted, a new nonce is chosen. Nonces don't have to be secret, but they must not be reused with the same key.
+- A {{Glossary("Nonce", "nonce")}} (that is, a number that may only be used once). The nonce part of the block stays the same for every block in the message. Each time a new message is to be encrypted, a new nonce is chosen. Nonces don't have to be secret, but they must not be reused with the same key.
 - A counter. This part of the block gets incremented each time a block is encrypted.
 
 Essentially: the nonce should ensure that counter blocks are not reused from one message to the next, while the counter should ensure that counter blocks are not reused within a single message.

files/en-us/web/api/svgelement/nonce/index.md

@@ -8,7 +8,7 @@ browser-compat: api.SVGElement.nonce
 
 {{APIRef("SVG")}}
 
-The **`nonce`** property of the {{DOMxRef("SVGElement")}} interface returns the nonce that is used by [Content Security Policy](/en-US/docs/Web/HTTP/Guides/CSP) to determine whether a given fetch will be allowed to proceed.
+The **`nonce`** property of the {{DOMxRef("SVGElement")}} interface returns the {{Glossary("Nonce", "nonce")}} that is used by [Content Security Policy](/en-US/docs/Web/HTTP/Guides/CSP) to determine whether a given fetch will be allowed to proceed.
 
 ## Value
 

files/en-us/web/api/websockets_api/index.md

@@ -37,7 +37,7 @@ Additionally, the [WebTransport API](/en-US/docs/Web/API/WebTransport_API) is ex
 The HTTP headers are used in the [WebSocket handshake](/en-US/docs/Web/API/WebSockets_API/Writing_WebSocket_servers#the_websocket_handshake):
 
 - {{HTTPHeader("Sec-WebSocket-Key")}}
-  - : An HTTP request header that contains a nonce from the client.
+  - : An HTTP request header that contains a {{Glossary("Nonce", "nonce")}} from the client.
     This is used in the [WebSocket opening handshake](/en-US/docs/Web/API/WebSockets_API/Writing_WebSocket_servers#the_websocket_handshake) to verify that the client explicitly intends to open a WebSocket.
     It is added automatically by the browser.
 - {{HTTPHeader("Sec-WebSocket-Accept")}}

files/en-us/web/html/reference/elements/script/index.md

@@ -91,7 +91,7 @@ This element includes the [global attributes](/en-US/docs/Web/HTML/Reference/Glo
 - `nomodule`
   - : This Boolean attribute is set to indicate that the script should not be executed in browsers that support [ES modules](/en-US/docs/Web/JavaScript/Guide/Modules) — in effect, this can be used to serve fallback scripts to older browsers that do not support modular JavaScript code.
 - `nonce`
-  - : A cryptographic nonce (number used once) to allow scripts in a [script-src Content-Security-Policy](/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/script-src). The server must generate a unique nonce value each time it transmits a policy. It is critical to provide a nonce that cannot be guessed as bypassing a resource's policy is otherwise trivial.
+  - : A cryptographic {{Glossary("Nonce", "nonce")}} (number used once) to allow scripts in a [script-src Content-Security-Policy](/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/script-src). The server must generate a unique nonce value each time it transmits a policy. It is critical to provide a nonce that cannot be guessed as bypassing a resource's policy is otherwise trivial.
 - `referrerpolicy`
   - : Indicates which [referrer](/en-US/docs/Web/API/Document/referrer) to send when fetching the script, or resources fetched by the script:
     - `no-referrer`: The {{HTTPHeader("Referer")}} header will not be sent.

files/en-us/web/html/reference/elements/style/index.md

@@ -56,7 +56,7 @@ This element includes the [global attributes](/en-US/docs/Web/HTML/Reference/Glo
 - `media`
   - : This attribute defines which media the style should be applied to. Its value is a [media query](/en-US/docs/Web/CSS/Guides/Media_queries/Using), which defaults to `all` if the attribute is missing.
 - `nonce`
-  - : A cryptographic nonce (number used once) used to allow inline styles in a [style-src Content-Security-Policy](/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/style-src). The server must generate a unique nonce value each time it transmits a policy. It is critical to provide a nonce that cannot be guessed as bypassing a resource's policy is otherwise trivial.
+  - : A cryptographic {{Glossary("Nonce", "nonce")}} (number used once) used to allow inline styles in a [style-src Content-Security-Policy](/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/style-src). The server must generate a unique nonce value each time it transmits a policy. It is critical to provide a nonce that cannot be guessed as bypassing a resource's policy is otherwise trivial.
 - `title`
   - : This attribute specifies [alternative style sheet](/en-US/docs/Web/HTML/Reference/Attributes/rel/alternate_stylesheet) sets.
 

files/en-us/web/html/reference/global_attributes/index.md

@@ -81,7 +81,7 @@ In addition to the basic HTML global attributes, the following global attributes
 - [`lang`](/en-US/docs/Web/HTML/Reference/Global_attributes/lang)
   - : Helps define the language of an element: the language that non-editable elements are in, or the language that editable elements should be written in by the user. The attribute should contain a valid {{glossary("BCP 47 language tag")}}. `xml:lang` has priority over it.
 - [`nonce`](/en-US/docs/Web/HTML/Reference/Global_attributes/nonce)
-  - : A cryptographic nonce ("number used once") which can be used by [Content Security Policy](/en-US/docs/Web/HTTP/Guides/CSP) to determine whether or not a given fetch will be allowed to proceed.
+  - : A cryptographic {{Glossary("Nonce", "nonce")}} ("number used once") which can be used by [Content Security Policy](/en-US/docs/Web/HTTP/Guides/CSP) to determine whether or not a given fetch will be allowed to proceed.
 - [`part`](/en-US/docs/Web/HTML/Reference/Global_attributes/part)
   - : A space-separated list of the part names of the element. Part names allows CSS to select and style specific elements in a shadow tree via the {{CSSxRef("::part")}} pseudo-element.
 - [`popover`](/en-US/docs/Web/HTML/Reference/Global_attributes/popover)

files/en-us/web/html/reference/global_attributes/nonce/index.md

@@ -8,7 +8,7 @@ sidebar: htmlsidebar
 ---
 
 The **`nonce`** [global attribute](/en-US/docs/Web/HTML/Reference/Global_attributes)
-is a content attribute defining a cryptographic nonce ("number used once") which can be used by
+is a content attribute defining a cryptographic {{Glossary("Nonce", "nonce")}} ("number used once") which can be used by
 [Content Security Policy](/en-US/docs/Web/HTTP/Guides/CSP) to determine whether or not a given fetch will
 be allowed to proceed for a given element.
 

files/en-us/web/http/guides/csp/errors/index.md

@@ -21,7 +21,7 @@ When you see any of the following messages logged in the browser devtools consol
 - Ignoring "%1$S" within script-src or style-src: nonce-source or hash-source specified
 - Ignoring "%1$S" within script-src: 'strict-dynamic' specified
 - Ignoring source "%1$S" (Only supported within script-src).
-- Keyword 'strict-dynamic' within "%1$S" with no valid nonce or hash might block all scripts from loading
+- Keyword 'strict-dynamic' within "%1$S" with no valid {{Glossary("Nonce", "nonce")}} or hash might block all scripts from loading
 - The report URI (%1$S) should be an HTTP or HTTPS URI.
 - This site (%1$S) has a Report-Only policy without a report URI. CSP will not block and cannot report violations of this policy.
 - Failed to parse unrecognized source %1$S

files/en-us/web/http/guides/csp/index.md

@@ -101,7 +101,7 @@ A CSP can provide protection against all of these. With a CSP, you can:
 
 - define the permitted sources for JavaScript files and other resources, effectively blocking loads from `https://evil.example.com`
 - disable inline script tags
-- allow only script tags which have the correct nonce or hash set
+- allow only script tags which have the correct {{Glossary("Nonce", "nonce")}} or hash set
 - disable inline event handlers
 - disable `javascript:` URLs
 - disable dangerous APIs like `eval()`