tor-browser

security.properties (17139B)

---

# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.

# Mixed Content Blocker
# LOCALIZATION NOTE: "%1$S" is the URI of the blocked mixed content resource
BlockMixedDisplayContent = Blocked loading mixed display content “%1$S”
BlockMixedActiveContent = Blocked loading mixed active content “%1$S”

# CORS
# LOCALIZATION NOTE: Do not translate "Access-Control-Allow-Origin", Access-Control-Allow-Credentials, Access-Control-Allow-Methods, Access-Control-Allow-Headers
CORSDisabled=Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at %1$S. (Reason: CORS disabled).
CORSDidNotSucceed2=Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at %1$S. (Reason: CORS request did not succeed). Status code: %2$S.
CORSOriginHeaderNotAdded=Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at %1$S. (Reason: CORS header ‘Origin’ cannot be added).
CORSExternalRedirectNotAllowed=Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at %1$S. (Reason: CORS request external redirect not allowed).
CORSRequestNotHttp=Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at %1$S. (Reason: CORS request not http).
CORSMissingAllowOrigin2=Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at %1$S. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: %2$S.
CORSMultipleAllowOriginNotAllowed=Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at %1$S. (Reason: Multiple CORS header ‘Access-Control-Allow-Origin’ not allowed).
CORSAllowOriginNotMatchingOrigin=Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at %1$S. (Reason: CORS header ‘Access-Control-Allow-Origin’ does not match ‘%2$S’).
CORSNotSupportingCredentials=Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at ‘%1$S’. (Reason: Credential is not supported if the CORS header ‘Access-Control-Allow-Origin’ is ‘*’).
CORSMethodNotFound=Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at %1$S. (Reason: Did not find method in CORS header ‘Access-Control-Allow-Methods’).
CORSMissingAllowCredentials=Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at %1$S. (Reason: expected ‘true’ in CORS header ‘Access-Control-Allow-Credentials’).
CORSPreflightDidNotSucceed3=Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at %1$S. (Reason: CORS preflight response did not succeed). Status code: %2$S.
CORSInvalidAllowMethod=Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at %1$S. (Reason: invalid token ‘%2$S’ in CORS header ‘Access-Control-Allow-Methods’).
CORSInvalidAllowHeader=Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at %1$S. (Reason: invalid token ‘%2$S’ in CORS header ‘Access-Control-Allow-Headers’).
CORSMissingAllowHeaderFromPreflight2=Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at %1$S. (Reason: header ‘%2$S’ is not allowed according to header ‘Access-Control-Allow-Headers’ from CORS preflight response).
CORSAllowHeaderFromPreflightDeprecation=Cross-Origin Request Warning: The Same Origin Policy will disallow reading the remote resource at %1$S soon. (Reason: When the `Access-Control-Allow-Headers` is `*`, the `Authorization` header is not covered. To include the `Authorization` header, it must be explicitly listed in CORS header `Access-Control-Allow-Headers`).

# LOCALIZATION NOTE: Do not translate "Strict-Transport-Security", "HSTS", "max-age" or "includeSubDomains"
STSUnknownError=Strict-Transport-Security: An unknown error occurred processing the header specified by the site.
STSCouldNotParseHeader=Strict-Transport-Security: The site specified a header that could not be parsed successfully.
STSNoMaxAge=Strict-Transport-Security: The site specified a header that did not include a ‘max-age’ directive.
STSMultipleMaxAges=Strict-Transport-Security: The site specified a header that included multiple ‘max-age’ directives.
STSInvalidMaxAge=Strict-Transport-Security: The site specified a header that included an invalid ‘max-age’ directive.
STSMultipleIncludeSubdomains=Strict-Transport-Security: The site specified a header that included multiple ‘includeSubDomains’ directives.
STSInvalidIncludeSubdomains=Strict-Transport-Security: The site specified a header that included an invalid ‘includeSubDomains’ directive.
STSCouldNotSaveState=Strict-Transport-Security: An error occurred noting the site as a Strict-Transport-Security host.

InsecurePasswordsPresentOnPage=Password fields present on an insecure (http://) page. This is a security risk that allows user login credentials to be stolen.
InsecureFormActionPasswordsPresent=Password fields present in a form with an insecure (http://) form action. This is a security risk that allows user login credentials to be stolen.
InsecurePasswordsPresentOnIframe=Password fields present on an insecure (http://) iframe. This is a security risk that allows user login credentials to be stolen.
# LOCALIZATION NOTE: "%1$S" is the URI of the insecure mixed content resource
LoadingMixedActiveContent2=Loading mixed (insecure) active content “%1$S” on a secure page
LoadingMixedDisplayContent2=Loading mixed (insecure) display content “%1$S” on a secure page
# LOCALIZATION NOTE: "%S" is the URI of the insecure mixed content download
MixedContentBlockedDownload = Blocked downloading insecure content “%S”.

# LOCALIZATION NOTE: Do not translate "allow-scripts", "allow-same-origin", "sandbox" or "iframe"
BothAllowScriptsAndSameOriginPresent=An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can remove its sandboxing.
# LOCALIZATION NOTE: Do not translate "allow-top-navigation-by-user-activation", "allow-top-navigation", "sandbox" or "iframe"
BothAllowTopNavigationAndUserActivationPresent=An iframe which has both allow-top-navigation and allow-top-navigation-by-user-activation for its sandbox attribute will permit top navigations.

# Sub-Resource Integrity
# LOCALIZATION NOTE: Do not translate "script" or "integrity". "%1$S" is the invalid token found in the attribute.
MalformedIntegrityHash=The script element has a malformed hash in its integrity attribute: “%1$S”. The correct format is “<hash algorithm>-<hash value>”.
# LOCALIZATION NOTE: Do not translate "integrity"
InvalidIntegrityLength=The hash contained in the integrity attribute has the wrong length.
# LOCALIZATION NOTE: Do not translate "integrity"
InvalidIntegrityBase64=The hash contained in the integrity attribute could not be decoded.
# LOCALIZATION NOTE: Do not translate "integrity". "%1$S" is the type of hash algorithm in use (e.g. "sha256"). "%2$S" is the URI of the sub-resource. "%3$S" is the hash value we saw.
IntegrityMismatch3=None of the “%1$S” hashes in the integrity attribute match the content of the subresource at “%2$S”. The computed hash is “%3$S”.
# LOCALIZATION NOTE: "%1$S" is the URI of the sub-resource that cannot be protected using SRI.
IneligibleResource=“%1$S” is not eligible for integrity checks since it’s neither CORS-enabled nor same-origin.
# LOCALIZATION NOTE: Do not translate "integrity". "%1$S" is the invalid hash algorithm found in the attribute.
UnsupportedHashAlg=Unsupported hash algorithm in the integrity attribute: “%1$S”
# LOCALIZATION NOTE: Do not translate "integrity"
NoValidMetadata=The integrity attribute does not contain any valid metadata.

# LOCALIZATION NOTE: Do not translate "RC4".
WeakCipherSuiteWarning=This site uses the cipher RC4 for encryption, which is deprecated and insecure.

DeprecatedTLSVersion2=This site uses a deprecated version of TLS. Please upgrade to TLS 1.2 or 1.3.

#XCTO: nosniff
# LOCALIZATION NOTE: Do not translate "X-Content-Type-Options: nosniff".
MimeTypeMismatch2=The resource from “%1$S” was blocked due to MIME type (“%2$S”) mismatch (X-Content-Type-Options: nosniff).
# LOCALIZATION NOTE: Do not translate "X-Content-Type-Options" and also do not translate "nosniff".
XCTOHeaderValueMissing=X-Content-Type-Options header warning: value was “%1$S”; did you mean to send “nosniff”?
# LOCALIZATION NOTE: Do not translate "X-Content-Type-Options" and also do not translate "nosniff".
XTCOWithMIMEValueMissing=The resource from “%1$S” was not rendered due to an unknown, incorrect or missing MIME type (X-Content-Type-Options: nosniff).

BlockScriptWithWrongMimeType2=Script from “%1$S” was blocked because of a disallowed MIME type (“%2$S”).
WarnScriptWithWrongMimeType=The script from “%1$S” was loaded even though its MIME type (“%2$S”) is not a valid JavaScript MIME type.
# LOCALIZATION NOTE: Do not translate "importScripts()"
BlockImportScriptsWithWrongMimeType=Loading script from “%1$S” with importScripts() was blocked because of a disallowed MIME type (“%2$S”).
BlockWorkerWithWrongMimeType=Loading Worker from “%1$S” was blocked because of a disallowed MIME type (“%2$S”).
BlockModuleWithWrongMimeType=Loading module from “%1$S” was blocked because of a disallowed MIME type (“%2$S”).
BlockJsonModuleWithWrongMimeType=Loading JSON module from “%1$S” was blocked because of a disallowed MIME type (“%2$S”).

# LOCALIZATION NOTE: Do not translate "data: URI".
BlockTopLevelDataURINavigation=Navigation to toplevel data: URI not allowed (Blocked loading of: “%1$S”)
BlockRedirectToDataURI=Redirecting to data: URI not allowed (Blocked loading of: “%1$S”)

# LOCALIZATION NOTE: Do not translate "file: URI". “%1$S” is the whole URI of the loaded file. “%2$S” is the MIME type e.g. "text/plain".
BlockFileScriptWithWrongMimeType=Loading script from file: URI (“%1$S”) was blocked because its MIME type (“%2$S”) is not a valid JavaScript MIME type.

# LOCALIZATION NOTE: “%S” is the whole URI of the loaded file.
BlockExtensionScriptWithWrongExt=Loading script with URI “%S” was blocked because the file extension is not allowed.

RestrictBrowserEvalUsage=eval() and eval-like uses are not allowed in the Parent Process or in System Contexts (Blocked usage in “%1$S”)

# LOCALIZATION NOTE (MixedContentAutoUpgrade):
# %1$S is the URL of the upgraded request; %2$S is the upgraded scheme.
MixedContentAutoUpgrade=Upgrading insecure display request ‘%1$S’ to use ‘%2$S’
# LOCALIZATION NOTE (RunningClearSiteDataValue):
# %S is the URI of the resource whose data was cleaned up
RunningClearSiteDataValue=Clear-Site-Data header forced the clean up of “%S” data.
UnknownClearSiteDataValue=Clear-Site-Data header found. Unknown value “%S”.

# Reporting API
ReportingHeaderInvalidJSON=Reporting Header: invalid JSON value received.
ReportingHeaderInvalidNameItem=Reporting Header: invalid name for group.
ReportingHeaderDuplicateGroup=Reporting Header: ignoring duplicated group named “%S”.
ReportingHeaderInvalidItem=Reporting Header: ignoring invalid item named “%S”.
ReportingHeaderInvalidEndpoint=Reporting Header: ignoring invalid endpoint for item named “%S”.
# LOCALIZATION NOTE(ReportingHeaderInvalidURLEndpoint): %1$S is the invalid URL, %2$S is the group name
ReportingHeaderInvalidURLEndpoint=Reporting Header: ignoring invalid endpoint URL “%1$S” for item named “%2$S”.

FeaturePolicyUnsupportedFeatureName=Feature Policy: Skipping unsupported feature name “%S”.
# TODO: would be nice to add a link to the Feature-Policy MDN documentation here. See bug 1449501
FeaturePolicyInvalidEmptyAllowValue= Feature Policy: Skipping empty allow list for feature: “%S”.
# TODO: would be nice to add a link to the Feature-Policy MDN documentation here. See bug 1449501
FeaturePolicyInvalidAllowValue=Feature Policy: Skipping unsupported allow value “%S”.

# LOCALIZATION NOTE: "%1$S" is the limitation length (bytes) of referrer URI, "%2$S" is the origin of the referrer URI.
ReferrerLengthOverLimitation=HTTP Referrer header: Length is over “%1$S” bytes limit - stripping referrer header down to origin: “%2$S”
# LOCALIZATION NOTE: "%1$S" is the limitation length (bytes) of referrer URI, "%2$S" is the origin of the referrer URI.
ReferrerOriginLengthOverLimitation=HTTP Referrer header: Length of origin within referrer is over “%1$S” bytes limit - removing referrer with origin “%2$S”.

# LOCALIZATION NOTE: Do not translate "no-referrer-when-downgrade", "origin-when-cross-origin" and "unsafe-url". %S is the URI of the loading channel.
ReferrerPolicyDisallowRelaxingWarning=Referrer Policy: Less restricted policies, including ‘no-referrer-when-downgrade’, ‘origin-when-cross-origin’ and ‘unsafe-url’, will be ignored soon for the cross-site request: %S
# LOCALIZATION NOTE: %1$S is the ignored referrer policy, %2$S is the URI of the loading channel.
ReferrerPolicyDisallowRelaxingMessage=Referrer Policy: Ignoring the less restricted referrer policy “%1$S” for the cross-site request: %2$S

# X-Frame-Options
# LOCALIZATION NOTE(XFrameOptionsInvalid): %1$S is the header value, %2$S is frame URI. Do not translate "X-Frame-Options".
XFrameOptionsInvalid = Invalid X-Frame-Options header was found when loading “%2$S”: “%1$S” is not a valid directive.
# LOCALIZATION NOTE(XFrameOptionsDeny): %1$S is the header value, %2$S is frame URI and %3$S is the parent document URI. Do not translate "X-Frame-Options".
XFrameOptionsDeny=The loading of “%2$S” in a frame is denied by “X-Frame-Options“ directive set to “%1$S“.

# HTTPS-Only Mode
# LOCALIZATION NOTE: %1$S is the URL of the upgraded request; %2$S is the upgraded scheme.
HTTPSOnlyUpgradeRequest = Upgrading insecure request “%1$S” to use “%2$S”.
# LOCALIZATION NOTE: %1$S is the URL of request.
HTTPSOnlyNoUpgradeException = Not upgrading insecure request “%1$S” because it is exempt.
# LOCALIZATION NOTE: %1$S is the URL of the failed request; %2$S is an error-code.
HTTPSOnlyFailedRequest = Upgrading insecure request “%1$S” failed. (%2$S)
# LOCALIZATION NOTE: %S is the URL of the failed request;
HTTPSOnlyFailedDowngradeAgain = Upgrading insecure request “%S” failed. Downgrading to “http” again.
# LOCALIZATION NOTE: Hints or indicates a new transaction for a URL is likely coming soon. We use
# a speculative connection to start a TCP connection so that the resource is immediately ready
# when the transaction is actually submitted. HTTPS-Only and HTTPS-First will upgrade such
# speculative TCP connections from http to https.
# %1$S is the URL of the upgraded speculative TCP connection; %2$S is the upgraded scheme.
HTTPSOnlyUpgradeSpeculativeConnection = Upgrading insecure speculative TCP connection “%1$S” to use “%2$S”.

HTTPSFirstSchemeless = Upgrading URL loaded in the address bar without explicit protocol scheme to use HTTPS.
# LOCALIZATION NOTE: %S is the hostname for which a exception will be added;
HTTPSFirstAddingException = Adding exception to temporarily prevent further attempts to automatically load “http://%S” securely.

# LOCALIZATION NOTE: %S is the URL of the blocked request;
IframeSandboxBlockedDownload = Download of “%S” was blocked because the triggering iframe has the sandbox flag set.

# LOCALIZATION NOTE: %S is the URL of the blocked request;
SandboxBlockedCustomProtocols = Blocked navigation to custom protocol “%S” from a sandboxed context.

# Sanitizer API
# LOCALIZATION NOTE: Do not translate Sanitizer, allowElement, attributes, removeAttributes or removeElements.
SanitizerAllowElementIgnored2 = Sanitizer: Calling allowElement() with “attributes” or non-empty “removeAttributes” was ignored because of the global “removeElements” list.

# LOCALIZATION NOTE: %S is the URI of the blocked script.
IntegrityPolicyEnforceBlockedScript = The page’s settings blocked a script at %S from being loaded because it is missing integrity metadata.
# LOCALIZATION NOTE: %S is the URI of the blocked script.
IntegrityPolicyReportOnlyBlockedScript = (Report-Only policy) The page’s settings would block a script at %S from being loaded because it is missing integrity metadata.

# LOCALIZATION NOTE: %S is the URI of the blocked stylesheet.
IntegrityPolicyEnforceBlockedStylesheet = The page’s settings blocked a stylesheet at %S from being loaded because it is missing integrity metadata.
# LOCALIZATION NOTE: %S is the URI of the blocked stylesheet.
IntegrityPolicyReportOnlyBlockedStylesheet = (Report-Only policy) The page’s settings would block a stylesheet at %S from being loaded because it is missing integrity metadata.