Page 1 of 1

Possible unwise term in J4 :)

Posted: Tue Jul 02, 2019 12:59 am
by brendanhedges
Hi,
This post is directed at those involved with the development of J4, you know who you are!

I was poking around in J4 A11 today and came across a rather unfortunate term used in the Content-Security-Policy Component.

In the settings there is a heading "NONCE"

I wonder if anyone has realised that this acronym is actually a real word that in proper/real English has a negative meaning?

https://www.lexico.com/en/definition/nonce

nonce
NOUN
British informal
A person convicted of a sexual offence, especially against a child.


I just want to bring this to your attention as it is a little inappropriate.

Re: Possible unwise term in J4 :)

Posted: Tue Jul 02, 2019 3:06 am
by sozzled
Fair crack of the sauce bottle! I have never heard of that word used in that way. I had to research several dictionaries before I discovered that this term is predominantly underworld slang (i.e. the language used by criminals or among the populations of those who are incarcerated in prisons) and not in general usage. So, it probably depends on whom one associates with as to whether certain words or phrases have pejorative meanings or connotations.

I recall, several years ago, writing on a forum that I was having a rant. Most English speakers understand what a rant is; I could be accused of being borderline "rant-like" at the moment. I had not realised that, way back in Middle English times, the word "rant" had an entirely different meaning.

So, if in this particular case, the developers have portmanteaued a word into Joomla—a word that may have a unintended meaning depending on one's socio-cultural background—that's what happens sometimes, I guess. :p

Re: Possible unwise term in J4 :)

Posted: Tue Jul 02, 2019 3:34 am
by imanickam
Nonce - https://en.wikipedia.org/wiki/Cryptographic_nonce

In Joomla, the term Nonce is used in the above meaning. The following language strings would highlight this.

Code: Select all

COM_CSP_CONTENTSECURITYPOLICY_NONCE_ENABLED="<a href='https://en.wikipedia.org/wiki/Cryptographic_nonce' target='_blank' rel='noopener noreferrer'>Nonce</a>"

COM_CSP_CONTENTSECURITYPOLICY_NONCE_ENABLED_DESC="Enable the whitelist for specific inline scripts using a cryptographic nonce (number used once) for all scripts and styles using the Joomla API. Specifying a nonce makes a modern browser ignore 'unsafe-inline' which could still be set for older browsers without nonce support."
Nonce Word - https://en.wikipedia.org/wiki/Nonce_word

Re: Possible unwise term in J4 :)

Posted: Tue Jul 02, 2019 10:59 pm
by brendanhedges
sozzled wrote:
Tue Jul 02, 2019 3:06 am
Fair crack of the sauce bottle! I have never heard of that word used in that way. I had to research several dictionaries before I discovered that this term is predominantly underworld slang (i.e. the language used by criminals or among the populations of those who are incarcerated in prisons) and not in general usage. So, it probably depends on whom one associates with as to whether certain words or phrases have pejorative meanings or connotations.


So, if in this particular case, the developers have portmanteaued a word into Joomla—a word that may have a unintended meaning depending on one's socio-cultural background—that's what happens sometimes, I guess. :p

I think that word is quite well known among British English speakers, I am no criminal yet I know it. I would also say if I used it in conversation, it would be understood, even by my aged parents. I agree it is being used with an unintended meaning, but I think because of it's meaning being associated with such a terrible form of crime, it could offend.

A point to concider:
If there was a component developed titled 'Form Under Construction Kit' would it be acceptable to abbreviate it to F.U.C.K?

Anyway,these are just my thoughts :)

Re: Possible unwise term in J4 :)

Posted: Tue Jul 02, 2019 11:01 pm
by brendanhedges
imanickam wrote:
Tue Jul 02, 2019 3:34 am
Nonce - https://en.wikipedia.org/wiki/Cryptographic_nonce

In Joomla, the term Nonce is used in the above meaning. The following language strings would highlight this.

Code: Select all

COM_CSP_CONTENTSECURITYPOLICY_NONCE_ENABLED="<a href='https://en.wikipedia.org/wiki/Cryptographic_nonce' target='_blank' rel='noopener noreferrer'>Nonce</a>"

COM_CSP_CONTENTSECURITYPOLICY_NONCE_ENABLED_DESC="Enable the whitelist for specific inline scripts using a cryptographic nonce (number used once) for all scripts and styles using the Joomla API. Specifying a nonce makes a modern browser ignore 'unsafe-inline' which could still be set for older browsers without nonce support."
Nonce Word - https://en.wikipedia.org/wiki/Nonce_word

Yes, I've seen this, and I get what it is and why it's used. I just question its appropriateness.

Re: Possible unwise term in J4 :)

Posted: Tue Jul 02, 2019 11:19 pm
by sozzled
There are many words in the English language that have different (sometimes unintended) meanings depending on where one lives and one's cultural background. I live in Australia. While I'm familiar with many UK/British words, I live, breathe, read and write by the Macquarie Dictionary.

I am not a linguistic expert.

Until @imanickam provided us with the definition of the term used in a narrow cryptographic manner, I hadn't come across this word before. But, for the sake of pitting my background against anyone else's:
MacquarieDictionary_p1301.jpg
IMO, the word is appropriate within the given context.

Re: Possible unwise term in J4 :)

Posted: Wed Jul 03, 2019 1:09 am
by mbabker
You can't just change a technical term just because it has an unfavorable meaning in another context. "nonce" is the actual name of the HTML feature. If you feel the name is not appropriate, you're going to have to petition the WHATWG to change the name if you feel it really has no place in an end user facing application. Otherwise, it would be confusing for Joomla to invent its own terminology to describe a feature while avoiding the real name of the feature (especially because you couldn't actually write a tutorial explaining how to use it, you have to use the name in the script tag!).

Re: Possible unwise term in J4 :)

Posted: Sat Jul 06, 2019 2:24 pm
by webdevtim
Joomla could support ReactJS. Then they can invent their own attribute names.

Just kidding.

Glad this came up, though, because I was not aware of it.
The nonce attribute enables you to “whitelist” certain inline script and style elements, while avoiding use of the CSP unsafe-inline directive (which would allow all inline script/style), so that you still retain the key CSP feature of disallowing inline script/style in general.

So the nonce attribute is way of telling browsers that the inline contents of a particular script or style element were not injected into the document by some (malicious) third party, but were instead put into the document intentionally by whoever controls the server the document is served from.