last few tweaks

mdn · chrisdavidmills · May 28, 2024 · May 28, 2024 · May 28, 2024 · May 28, 2024
commit 796d6161398d8d02007e31e2c495371de9636389
@@ -50,7 +50,7 @@ The attribute value is either the keyword `off` or `on`, or a space-separated `<
 
  - : The browser is not permitted to automatically enter or select a value for this field. It is possible that the document or application provides its own autocomplete feature, or that security concerns require that the field's value not be automatically entered.
 
- > **Note:** In most modern browsers, setting `autocomplete` to "`off`" will not prevent a password manager from asking the user if they would like to save username and password information, or from automatically filling in those values in a site's login form. See [the autocomplete attribute and login fields](/en-US/docs/Web/Security/Practical_implementation/Turning_off_form_autocompletion#the_autocomplete_attribute_and_login_fields).
+ > **Note:** In most modern browsers, setting `autocomplete` to "`off`" will not prevent a password manager from asking the user if they would like to save username and password information, or from automatically filling in those values in a site's login form. See [Managing autofill for login fields](/en-US/docs/Web/Security/Practical_implementation_guides/Turning_off_form_autocompletion#managing_autofill_for_login_fields).
 
 - `on`
 
@@ -86,7 +86,7 @@ The attribute value is either the keyword `off` or `on`, or a space-separated `<
  - "`username`"
  - : A username or account name.
  - "`new-password`"
- - : A new password. When creating a new account or changing passwords, this should be used for an "Enter your new password" or "Confirm new password" field, as opposed to a general "Enter your current password" field that might be present. This may be used by the browser both to avoid accidentally filling in an existing password and to offer assistance in creating a secure password (see also [Preventing autofilling with autocomplete="new-password"](/en-US/docs/Web/Security/Practical_implementation/Turning_off_form_autocompletion#preventing_autofilling_with_autocompletenew-password)).
+ - : A new password. When creating a new account or changing passwords, this should be used for an "Enter your new password" or "Confirm new password" field, as opposed to a general "Enter your current password" field that might be present. This may be used by the browser both to avoid accidentally filling in an existing password and to offer assistance in creating a secure password.
  - "`current-password`"
  - : The user's current password.
  - "`one-time-code`"

@@ -36,7 +36,7 @@ This element includes the [global attributes](/en-US/docs/Web/HTML/Global_attrib
 
  - : Indicates whether input elements can by default have their values automatically completed by the browser. `autocomplete` attributes on form elements override it on `<form>`. Possible values:
 
- - `off`: The browser may not automatically complete entries. (Browsers tend to ignore this for suspected login forms; see [The autocomplete attribute and login fields](/en-US/docs/Web/Security/Practical_implementation/Turning_off_form_autocompletion#the_autocomplete_attribute_and_login_fields).)
+ - `off`: The browser may not automatically complete entries. (Browsers tend to ignore this for suspected login forms; see [Managing autofill for login fields](/en-US/docs/Web/Security/Practical_implementation_guides/Turning_off_form_autocompletion#managing_autofill_for_login_fields).)
  - `on`: The browser may automatically complete entries.
 
 - `name`

@@ -42,7 +42,7 @@ Due to the difficulty in retrofitting CSP into existing websites, CSP is mandato
 5. Make sure you are not loading any resources over HTTP. Load them over HTTPS instead. Don't include any HTTP sources in your CSP allowlists.
 6. For existing websites with large codebases that would require too much work to disable inline scripts, you could fall back to `default-src https: 'unsafe-inline'`. This is still helpful because it keeps resources from being accidentally loaded over HTTP. However, it does not provide any XSS protection.
 
-Notes:
+Keep the following points in mind:
 
 - If you are unable to use the `Content-Security-Policy` header, pages can instead include a [`<meta http-equiv="Content-Security-Policy" content="…">`](/en-US/docs/Web/HTML/Element/meta#http-equiv) element. This should be the first {{htmlelement("meta")}} element that appears inside the document {{htmlelement("head")}}.
 - Care needs to be taken with `data:` URIs because these are unsafe inside `script-src` and `object-src` (or `default-src`).

@@ -10,7 +10,7 @@ page-type: guide
 
 ## Problem
 
-Many factors increase the load on your website. You may wish to reduce website load by disabling the crawling of automatically generated content. As an added benefit, this prevents the pollution of search results with resources that don't benefit from being searchable.
+Many factors can increase the load on your website; this includes web crawlers. In addition, if allowed to crawl the entirety of a site, web crawlers can cause pollution of search results with resources that don't benefit from being searchable.
 
 ## Solution
 

@@ -14,7 +14,7 @@ page-type: guide
 
 If data is sent over the web unencrypted, it can be intercepted and read by third parties, who can modify and/or steal the data — this is often known as a [manipulator-in-the-middle](/en-US/docs/Glossary/MitM) (MiTM) attack. MiTM attacks have severe consequences for the security of your system.
-If data is sent over the web unencrypted, it can be intercepted and read by third parties, who can modify and/or steal the data — this is often known as a [manipulator-in-the-middle](/en-US/docs/Glossary/MitM) (MiTM) attack. MiTM attacks have severe consequences for the security of your system.
+If data is sent over the web unencrypted, it can be intercepted by third parties, who can modify and/or read the data — this is often known as a [manipulator-in-the-middle](/en-US/docs/Glossary/MitM) (MiTM) attack. MiTM attacks have severe consequences for the security of your system.
-If data is sent over the web unencrypted, it can be intercepted and read by third parties, who can modify and/or steal the data — this is often known as a [manipulator-in-the-middle](/en-US/docs/Glossary/MitM) (MiTM) attack. MiTM attacks have severe consequences for the security of your system.
+If data is sent over the web unencrypted, it can be intercepted by third parties, who can modify and/or read the data — this is often known as a [manipulator-in-the-middle](/en-US/docs/Glossary/MitM) (MiTM) attack. MiTM attacks have severe consequences for the security of your system.
 
-All requests and responses should therefore be sent over HTTPS. The modern web practically enforces this — all browsers are moving towards requiring [HTTPS](/en-US/docs/Glossary/HTTPS) by default, and many web features can only be used in a [secure context](/en-US/docs/Web/Security/Secure_Contexts).
+All requests and responses should, therefore, be sent over HTTPS. The modern web practically enforces this — all browsers are moving towards requiring [HTTPS](/en-US/docs/Glossary/HTTPS) by default, and many web features can only be used in a [secure context](/en-US/docs/Web/Security/Secure_Contexts).
-All requests and responses should, therefore, be sent over HTTPS. The modern web practically enforces this — all browsers are moving towards requiring [HTTPS](/en-US/docs/Glossary/HTTPS) by default, and many web features can only be used in a [secure context](/en-US/docs/Web/Security/Secure_Contexts).
+All requests and responses should, therefore, be sent over HTTPS which uses TLS to encrypt the data. The modern web practically enforces this — all browsers are moving towards requiring [HTTPS](/en-US/docs/Glossary/HTTPS) by default, and many web features can only be used in a [secure context](/en-US/docs/Web/Security/Secure_Contexts).
-All requests and responses should, therefore, be sent over HTTPS. The modern web practically enforces this — all browsers are moving towards requiring [HTTPS](/en-US/docs/Glossary/HTTPS) by default, and many web features can only be used in a [secure context](/en-US/docs/Web/Security/Secure_Contexts).
+All requests and responses should, therefore, be sent over HTTPS which uses TLS to encrypt the data. The modern web practically enforces this — all browsers are moving towards requiring [HTTPS](/en-US/docs/Glossary/HTTPS) by default, and many web features can only be used in a [secure context](/en-US/docs/Web/Security/Secure_Contexts).
 
 ### Solution