From 0354abf348353e28adebbc8d8d98f81aa673328a Mon Sep 17 00:00:00 2001
From: julieng <julien.gattelier@gmail.com>
Date: Sun, 18 Sep 2022 07:05:25 +0200
Subject: [PATCH 1/3] move *.html to *.md

---
 files/ru/web/security/{index.html => index.md}                    | 0
 files/ru/web/security/same-origin_policy/{index.html => index.md} | 0
 files/ru/web/security/securing_your_site/{index.html => index.md} | 0
 .../turning_off_form_autocompletion/{index.html => index.md}      | 0
 4 files changed, 0 insertions(+), 0 deletions(-)
 rename files/ru/web/security/{index.html => index.md} (100%)
 rename files/ru/web/security/same-origin_policy/{index.html => index.md} (100%)
 rename files/ru/web/security/securing_your_site/{index.html => index.md} (100%)
 rename files/ru/web/security/securing_your_site/turning_off_form_autocompletion/{index.html => index.md} (100%)
diff --git a/files/ru/web/security/index.html b/files/ru/web/security/index.md
similarity index 100%
rename from files/ru/web/security/index.html
rename to files/ru/web/security/index.md
diff --git a/files/ru/web/security/same-origin_policy/index.html b/files/ru/web/security/same-origin_policy/index.md
similarity index 100%
rename from files/ru/web/security/same-origin_policy/index.html
rename to files/ru/web/security/same-origin_policy/index.md
diff --git a/files/ru/web/security/securing_your_site/index.html b/files/ru/web/security/securing_your_site/index.md
similarity index 100%
rename from files/ru/web/security/securing_your_site/index.html
rename to files/ru/web/security/securing_your_site/index.md
diff --git a/files/ru/web/security/securing_your_site/turning_off_form_autocompletion/index.html b/files/ru/web/security/securing_your_site/turning_off_form_autocompletion/index.md
similarity index 100%
rename from files/ru/web/security/securing_your_site/turning_off_form_autocompletion/index.html
rename to files/ru/web/security/securing_your_site/turning_off_form_autocompletion/index.md

From 7e74880d9106f8edf3621d39d1221aec2719ad12 Mon Sep 17 00:00:00 2001
From: julieng <julien.gattelier@gmail.com>
Date: Sun, 18 Sep 2022 07:05:32 +0200
Subject: [PATCH 2/3] convert content to md

---
 files/ru/web/security/index.md                |   6 +-
 .../web/security/same-origin_policy/index.md  | 401 +++++++-----------
 .../web/security/securing_your_site/index.md  |  74 ++--
 .../turning_off_form_autocompletion/index.md  |  78 ++--
 4 files changed, 219 insertions(+), 340 deletions(-)

diff --git a/files/ru/web/security/index.md b/files/ru/web/security/index.md
index c704828ea873a6..02f78f5fd5eaa7 100644
--- a/files/ru/web/security/index.md
+++ b/files/ru/web/security/index.md
@@ -6,8 +6,8 @@ tags:
   - Безопасность
 translation_of: Web/Security
 ---
-<p><span class="seoSummary">Обеспечение того, чтобы ваш веб-сайт или открытое веб-приложение было безопасным является критически важным. Даже простые ошибки в коде могут привести к утечке частной информации,  завладеть которой хотят не добросовестные пользователи, с целью кражи данных. Эти статьи предоставляют информацию, которая может помочь вам обеспечить безопасность вашего кода.</span></p>
+Обеспечение того, чтобы ваш веб-сайт или открытое веб-приложение было безопасным является критически важным. Даже простые ошибки в коде могут привести к утечке частной информации, завладеть которой хотят не добросовестные пользователи, с целью кражи данных. Эти статьи предоставляют информацию, которая может помочь вам обеспечить безопасность вашего кода.
 
-<p>{{LandingPageListSubpages}}</p>
+{{LandingPageListSubpages}}
 
-<p>{{QuickLinksWithSubpages}}</p>
+{{QuickLinksWithSubpages}}
diff --git a/files/ru/web/security/same-origin_policy/index.md b/files/ru/web/security/same-origin_policy/index.md
index 6ee6df43981e95..57d8a3d8dd1d70 100644
--- a/files/ru/web/security/same-origin_policy/index.md
+++ b/files/ru/web/security/same-origin_policy/index.md
@@ -3,262 +3,147 @@ title: Same-origin policy
 slug: Web/Security/Same-origin_policy
 translation_of: Web/Security/Same-origin_policy
 ---
-<p><strong>Политика одинакового источника</strong> (same-origin policy) определяет как документ или скрипт, загруженный из одного источника ({{Glossary("origin")}}), может взаимодействовать с ресурсом из другого источника. Это помогает изолировать потенциально вредоносные документы, снижая количество возможных векторов атак.</p>
-
-<h2 id="Определение_origin">Определение origin</h2>
-
-<p>Две страницы имеют одинаковый origin (источник) если протокол , порт (если указан), и хост одинаковы для обоих страниц. Время от времени, вы можете видеть это как  "scheme/host/port tuple" (где "tuple"<sup> переводится как кортеж или запись</sup> набор из трёх компонент, которые вместе составляют единое целое).</p>
-
-<p>В следующей таблице даны примеры origin-сравнений с URL <code>http://store.company.com/dir/page.html</code>:</p>
-
-<table class="standard-table">
- <tbody>
-  <tr>
-   <th>URL</th>
-   <th>Outcome</th>
-   <th>Reason</th>
-  </tr>
-  <tr>
-   <td><code>http://store.company.com/dir2/other.html</code></td>
-   <td>Success</td>
-   <td></td>
-  </tr>
-  <tr>
-   <td><code>http://store.company.com/dir/inner/another.html</code></td>
-   <td>Success</td>
-   <td></td>
-  </tr>
-  <tr>
-   <td><code>https://store.company.com/secure.html</code></td>
-   <td>Failure</td>
-   <td>Different protocol</td>
-  </tr>
-  <tr>
-   <td><code>http://store.company.com:81/dir/etc.html</code></td>
-   <td>Failure</td>
-   <td>Different port</td>
-  </tr>
-  <tr>
-   <td><code>http://news.company.com/dir/other.html</code></td>
-   <td>Failure</td>
-   <td>Different host</td>
-  </tr>
- </tbody>
-</table>
+**Политика одинакового источника** (same-origin policy) определяет как документ или скрипт, загруженный из одного источника ({{Glossary("origin")}}), может взаимодействовать с ресурсом из другого источника. Это помогает изолировать потенциально вредоносные документы, снижая количество возможных векторов атак.
 
-<p>Смотрите также <a href="/en-US/docs/Same-origin_policy_for_file:_URIs" title="Same-origin_policy_for_file:_URIs">origin definition for <code>file:</code> URLs</a>.</p>
-
-<h3 id="Наследование_origins">Наследование origins</h3>
-
-<p>Контент из <code>about:blank</code> и <code>javascript:</code> адреса наследуют источник документа, содержащего этот URL, поскольку они не содержат информации о сервере происхождения.</p>
-
-<div class="note">
-<p>Например, <code>about:blank</code> часто используется в качестве URL новых, пустых окон в которые родительский скрипт записывает контент (например, с помощью {{domxref("Window.open()")}}). Если это окно также содержит JavaScript, то скрипт будет наследовать то же происхождение, что и его родитель.</p>
-</div>
-
-<div class="blockIndicator warning">
-<p style="line-height: 30px;"><code>data:</code> адреса получают новый, пустой, безопасный контекст.</p>
-</div>
-
-<h3 id="Исключения_в_Internet_Explorer">Исключения в Internet Explorer</h3>
-
-<p>Internet Explorer два основных исключения из политики одно происхождения:</p>
-
-<dl>
- <dt>Trust Zones (Зоны доверия)</dt>
- <dd>Если оба домена находятся в зоне высокого доверия (например, зоны корпоративной интрасети), то ограничения на одно и то же происхождение не применяется.</dd>
- <dt>Порт</dt>
- <dd>IE не включает порт в same-origin проверку. Следовательно, <code>https://company.com:81/index.html</code> и <code>https://company.com/index.html</code> являются адресами одного происхождения и ограничения действовать не будут.</dd>
-</dl>
-
-<p>Эти исключения являются нестандартными и не поддерживаются в любом другом браузере</p>
-
-<h2 id="Изменение_origin">Изменение origin</h2>
-
-<p>Страница может изменить свой оригинальный origin с некоторыми ограничениями. Скрипт может установить значение {{domxref("document.domain")}} на текущий домен или супердомен текущего домена. Если значение будет установлено на супердомен текущего домена, более короткий домен будет использован для последующей проверки origin'а. Например, предполагается, что скрипт в документе по адресу <code>http://store.company.com/dir/other.html</code> выполняется следующим выражением:</p>
-
-<pre class="brush: js line-numbers language-js"><code class="language-js">document<span class="punctuation token">.</span>domain <span class="operator token">=</span> <span class="string token">"company.com"</span><span class="punctuation token">;</span></code></pre>
-
-<p>После этого, страница может пройти такую же проверку на <code>http://company.com/dir/page.html</code> (<code>предполагая, что http://company.com/dir/page.html</code> установил <code>document.domain</code> в значение "<code>company.com</code>" чтобы указать, что у него получилось разрешение - смотри {{domxref("document.domain")}}). Однако, <code>company.com</code> <strong>не может </strong>установить <code>document.domain</code> в значение <code>othercompany.com</code>, поскольку это значение не является супердоменом <code>company.com</code>.</p>
-
-<p>Номер порта проверяется браузером отдельно. Любой вызов <code>document.domain</code>, включающий <code>document.domain = document.domain</code>, заменяет номер порта, устанавливая его в значение <code>null</code>. Следовательно, <strong>невозможно</strong> вызов <code>company.com:8080</code> обозначить <code>company.com</code> одной лишь установкой<code>document.domain = "company.com"</code> в начале. Он должен быть установлен в обоих случаях и номер портов в этих случаях должны равняться значению <code>null</code>.</p>
-
-<div class="note">
-<p><strong>Замечание:</strong> Когда используется <code>document.domain</code> для разрешения поддомена для родительского доступа к нему, вы должны установить <code>document.domain</code> в<em> такое же значение, </em>как в родительском домене, так и в поддомене. Это необходимо, даже если при этом просто восстанавливается исходное значение родительского домена. Несоблюдение этого правила может привести к ошибкам разрешений.</p>
-</div>
-
-<h2 id="Cross-origin_network_access">Cross-origin network access</h2>
-
-<p>The same-origin policy controls interactions between two different origins, such as when you use {{domxref("XMLHttpRequest")}} or an {{htmlelement("img")}} element. These interactions are typically placed into three categories:</p>
-
-<ul>
- <li>Cross-origin <em>writes </em>are typically allowed. Examples are links, redirects and form submissions. Certain rarely used HTTP requests require <a href="/en-US/docs/HTTP/Access_control_CORS#Preflighted_requests" title="HTTP/Access_control_CORS#Preflighted_requests">preflight</a>.</li>
- <li>Cross-origin <em>embedding </em>is typically allowed. Examples are listed below.</li>
- <li>Cross-origin <em>reads </em>are typically not allowed, but read access is often leaked by embedding. For example, you can read the width and height of an embedded image, the actions of an embedded script, or the <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=629094">availability of an embedded resource</a>.</li>
-</ul>
-
-<p>Here are some examples of resources which may be embedded cross-origin:</p>
-
-<ul>
- <li>JavaScript with <code>&lt;script src="..."&gt;&lt;/script&gt;</code>. Error messages for syntax errors are only available for same-origin scripts.</li>
- <li>CSS with <code>&lt;link rel="stylesheet" href="..."&gt;</code>. Due to the <a href="http://scarybeastsecurity.blogspot.dk/2009/12/generic-cross-browser-cross-domain.html" title="http://scarybeastsecurity.blogspot.dk/2009/12/generic-cross-browser-cross-domain.html">relaxed syntax rules</a> of CSS, cross-origin CSS requires a correct <code>Content-Type</code> header. Restrictions vary by browser: <a href="http://msdn.microsoft.com/en-us/library/ie/gg622939%28v=vs.85%29.aspx">IE</a>, <a href="http://www.mozilla.org/security/announce/2010/mfsa2010-46.html" title="http://www.mozilla.org/security/announce/2010/mfsa2010-46.html">Firefox</a>, <a href="http://code.google.com/p/chromium/issues/detail?id=9877">Chrome</a>, <a href="http://support.apple.com/kb/HT4070">Safari</a> (scroll down to CVE-2010-0051) and <a href="http://www.opera.com/support/kb/view/943/">Opera</a>.</li>
- <li>Images with {{htmlelement("img")}}. Supported image formats include PNG, JPEG, GIF, BMP, SVG, ...</li>
- <li>Media files with {{htmlelement("video")}} and {{htmlelement("audio")}}.</li>
- <li>Plug-ins with <a href="/en-US/docs/HTML/Element/object" title="HTML/Element/object"><code>&lt;object&gt;</code></a>, <a href="/en-US/docs/HTML/Element/embed" title="HTML/Element/embed"><code>&lt;embed&gt;</code></a> and <a href="/en-US/docs/HTML/Element/applet" title="HTML/Element/applet"><code>&lt;applet&gt;</code></a>.</li>
- <li>Fonts with <a href="/en-US/docs/CSS/@font-face" title="CSS/@font-face"><code>@font-face</code></a>. Some browsers allow cross-origin fonts, others require same-origin fonts.</li>
- <li>Anything with <a href="/en-US/docs/HTML/Element/frame" title="HTML/Element/frame"><code>&lt;frame&gt;</code></a> and <a href="/en-US/docs/HTML/Element/iframe" title="HTML/Element/iframe"><code>&lt;iframe&gt;</code></a>. A site can use the <code><a href="/en-US/docs/HTTP/X-Frame-Options" title="HTTP/X-Frame-Options">X-Frame-Options</a></code> header to prevent this form of cross-origin interaction.</li>
-</ul>
-
-<h3 id="How_to_allow_cross-origin_access">How to allow cross-origin access</h3>
-
-<p>Use <a href="/en-US/docs/HTTP/Access_control_CORS" title="HTTP/Access_control_CORS">CORS</a> to allow cross-origin access.</p>
-
-<h3 id="How_to_block_cross-origin_access">How to block cross-origin access</h3>
-
-<ul>
- <li>To prevent cross-origin writes, check for an unguessable token in the request, known as a <a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29">Cross-Site Request Forgery (CSRF)</a> token. You must prevent cross-origin reads of pages that know this token.</li>
- <li>To prevent cross-origin reads of a resource, ensure that it is not embeddable. It is often necessary to prevent embedding because embedding a resource always leaks some information about it.</li>
- <li>To prevent cross-origin embedding, ensure that your resource cannot be interpreted as one of the embeddable formats listed above. The browser does not respect the <code>Content-Type</code> in most cases. For example, if you point a <code>&lt;script&gt;</code> tag at an HTML document, the browser will try to parse the HTML as JavaScript. When your resource is not an entry point to your site, you can also use a CSRF token to prevent embedding.</li>
-</ul>
-
-<h2 id="Cross-origin_script_API_access">Cross-origin script API access</h2>
-
-<p>JavaScript APIs such as <a href="/en-US/docs/DOM/HTMLIFrameElement" title="DOM/HTMLIFrameElement"><code>iframe.contentWindow</code></a>, {{domxref("window.parent")}}, {{domxref("window.open")}} and {{domxref("window.opener")}} allow documents to directly reference each other. When the two documents do not have the same origin, these references provide very limited access to <a href="/en-US/docs/Web/API/Window"><code>Window</code></a> and <a href="/en-US/docs/Web/API/Location"><code>Location</code></a> objects, as described in the next two sections.</p>
-
-<p>To communicate further between documents from different origins, use {{domxref("window.postMessage")}}.</p>
-
-<h3 id="Window">Window</h3>
-
-<p>Specification:  <a href="http://www.whatwg.org/specs/web-apps/current-work/multipage/browsers.html#security-window">http://www.whatwg.org/specs/web-apps/current-work/multipage/browsers.html#security-window</a>.</p>
-
-<p>The following cross-origin access to <code>Window</code> properties is allowed:</p>
-
-<table class="fullwidth-table standard-table">
- <thead>
-  <tr>
-   <th scope="col">Methods</th>
-  </tr>
- </thead>
- <tbody>
-  <tr>
-   <td>{{domxref("window.blur")}}</td>
-  </tr>
-  <tr>
-   <td>{{domxref("window.close")}}</td>
-  </tr>
-  <tr>
-   <td>{{domxref("window.focus")}}</td>
-  </tr>
-  <tr>
-   <td>{{domxref("window.postMessage")}}</td>
-  </tr>
- </tbody>
-</table>
-
-<table class="fullwidth-table standard-table">
- <thead>
-  <tr>
-   <th scope="col">Attributes</th>
-   <th scope="col"></th>
-  </tr>
- </thead>
- <tbody>
-  <tr>
-   <td>{{domxref("window.closed")}}</td>
-   <td>Read only.</td>
-  </tr>
-  <tr>
-   <td>{{domxref("window.frames")}}</td>
-   <td>Read only.</td>
-  </tr>
-  <tr>
-   <td>{{domxref("window.length")}}</td>
-   <td>Read only.</td>
-  </tr>
-  <tr>
-   <td>{{domxref("window.location")}}</td>
-   <td>Read/write.</td>
-  </tr>
-  <tr>
-   <td>{{domxref("window.opener")}}</td>
-   <td>Read only.</td>
-  </tr>
-  <tr>
-   <td>{{domxref("window.parent")}}</td>
-   <td>Read only.</td>
-  </tr>
-  <tr>
-   <td>{{domxref("window.self")}}</td>
-   <td>Read only.</td>
-  </tr>
-  <tr>
-   <td>{{domxref("window.top")}}</td>
-   <td>Read only.</td>
-  </tr>
-  <tr>
-   <td>{{domxref("window.window")}}</td>
-   <td>Read only.</td>
-  </tr>
- </tbody>
-</table>
-
-<p>Some browsers allow access to more properties than the specification allows.</p>
-
-<h3 id="Location">Location</h3>
-
-<p>Specification:  <a href="http://www.whatwg.org/specs/web-apps/current-work/multipage/browsers.html#security-location">http://www.whatwg.org/specs/web-apps/current-work/multipage/browsers.html#security-location</a>.</p>
-
-<p>The following cross-origin access to <code>Location</code> properties is allowed:</p>
-
-<table class="fullwidth-table standard-table">
- <thead>
-  <tr>
-   <th scope="col">Methods</th>
-  </tr>
- </thead>
- <tbody>
-  <tr>
-   <td>{{domxref("location.replace")}}</td>
-  </tr>
- </tbody>
-</table>
-
-<table class="fullwidth-table standard-table">
- <thead>
-  <tr>
-   <th scope="col">Attributes</th>
-   <th scope="col"></th>
-  </tr>
- </thead>
- <tbody>
-  <tr>
-   <td>{{domxref("URLUtils.href")}}</td>
-   <td>Write only.</td>
-  </tr>
- </tbody>
-</table>
-
-<p>Some browsers allow access to more properties than the specification allows.</p>
-
-<h2 id="Cross-origin_data_storage_access">Cross-origin data storage access</h2>
-
-<p>Access to data stored in the browser such as <a href="/en-US/docs/Web/Guide/API/DOM/Storage">localStorage</a> and <a href="/en-US/docs/IndexedDB">IndexedDB</a> are separated by origin. Each origin gets its own separate storage, and JavaScript in one origin cannot read from or write to the storage belonging to another origin.</p>
-
-<p>Cookies use a separate definition of origins. A page can set a cookie for its own domain or any parent domain, as long as the parent domain is not a public suffix. Firefox and Chrome use the <a href="http://publicsuffix.org/">Public Suffix List</a> to determine if a domain is a public suffix. Internet Explorer uses its own internal method to determine if a domain is a public suffix. The browser will make a cookie available to the given domain including any sub-domains, no matter which protocol (HTTP/HTTPS) or port is used. When you set a cookie, you can limit its availability using the Domain, Path, Secure and Http-Only flags. When you read a cookie, you cannot see from where it was set. Even if you use only secure https connections, any cookie you see may have been set using an insecure connection.</p>
-
-<h2 id="See_also">See also</h2>
-
-<ul>
- <li><a href="/en-US/docs/Same-origin_policy_for_file:_URIs" title="Same-origin policy for file: URIs">Same-origin policy for file: URIs</a></li>
- <li><a href="http://www.w3.org/Security/wiki/Same_Origin_Policy">Same-Origin Policy at W3C</a></li>
-</ul>
-
-<div class="originaldocinfo">
-<h2 id="Original_Document_Information">Original Document Information</h2>
-
-<ul>
- <li>Author(s): Jesse Ruderman</li>
-</ul>
-</div>
-
-<p>{{QuickLinksWithSubpages("/en-US/docs/Web/Security")}}</p>
+## Определение origin
+
+Две страницы имеют одинаковый origin (источник) если протокол , порт (если указан), и хост одинаковы для обоих страниц. Время от времени, вы можете видеть это как "scheme/host/port tuple" (где "tuple" переводится как кортеж или запись набор из трёх компонент, которые вместе составляют единое целое).
+
+В следующей таблице даны примеры origin-сравнений с URL `http://store.company.com/dir/page.html`:
+
+| URL                                               | Outcome | Reason             |
+| ------------------------------------------------- | ------- | ------------------ |
+| `http://store.company.com/dir2/other.html`        | Success |                    |
+| `http://store.company.com/dir/inner/another.html` | Success |                    |
+| `https://store.company.com/secure.html`           | Failure | Different protocol |
+| `http://store.company.com:81/dir/etc.html`        | Failure | Different port     |
+| `http://news.company.com/dir/other.html`          | Failure | Different host     |
+
+Смотрите также [origin definition for `file:` URLs](/ru/docs/Same-origin_policy_for_file:_URIs "Same-origin_policy_for_file:_URIs").
+
+### Наследование origins
+
+Контент из `about:blank` и `javascript:` адреса наследуют источник документа, содержащего этот URL, поскольку они не содержат информации о сервере происхождения.
+
+> **Примечание:** Например, `about:blank` часто используется в качестве URL новых, пустых окон в которые родительский скрипт записывает контент (например, с помощью {{domxref("Window.open()")}}). Если это окно также содержит JavaScript, то скрипт будет наследовать то же происхождение, что и его родитель.
+
+> **Предупреждение:** `data:` адреса получают новый, пустой, безопасный контекст.
+
+### Исключения в Internet Explorer
+
+Internet Explorer два основных исключения из политики одно происхождения:
+
+- Trust Zones (Зоны доверия)
+  - : Если оба домена находятся в зоне высокого доверия (например, зоны корпоративной интрасети), то ограничения на одно и то же происхождение не применяется.
+- Порт
+  - : IE не включает порт в same-origin проверку. Следовательно, `https://company.com:81/index.html` и `https://company.com/index.html` являются адресами одного происхождения и ограничения действовать не будут.
+
+Эти исключения являются нестандартными и не поддерживаются в любом другом браузере
+
+## Изменение origin
+
+Страница может изменить свой оригинальный origin с некоторыми ограничениями. Скрипт может установить значение {{domxref("document.domain")}} на текущий домен или супердомен текущего домена. Если значение будет установлено на супердомен текущего домена, более короткий домен будет использован для последующей проверки origin'а. Например, предполагается, что скрипт в документе по адресу `http://store.company.com/dir/other.html` выполняется следующим выражением:
+
+```js
+document.domain = "company.com";
+```
+
+После этого, страница может пройти такую же проверку на `http://company.com/dir/page.html` (`предполагая, что http://company.com/dir/page.html` установил `document.domain` в значение "`company.com`" чтобы указать, что у него получилось разрешение - смотри {{domxref("document.domain")}}). Однако, `company.com` **не может** установить `document.domain` в значение `othercompany.com`, поскольку это значение не является супердоменом `company.com`.
+
+Номер порта проверяется браузером отдельно. Любой вызов `document.domain`, включающий `document.domain = document.domain`, заменяет номер порта, устанавливая его в значение `null`. Следовательно, **невозможно** вызов `company.com:8080` обозначить `company.com` одной лишь установкой`document.domain = "company.com"` в начале. Он должен быть установлен в обоих случаях и номер портов в этих случаях должны равняться значению `null`.
+
+> **Примечание:** **Замечание:** Когда используется `document.domain` для разрешения поддомена для родительского доступа к нему, вы должны установить `document.domain` в _такое же значение,_ как в родительском домене, так и в поддомене. Это необходимо, даже если при этом просто восстанавливается исходное значение родительского домена. Несоблюдение этого правила может привести к ошибкам разрешений.
+
+## Cross-origin network access
+
+The same-origin policy controls interactions between two different origins, such as when you use {{domxref("XMLHttpRequest")}} or an {{htmlelement("img")}} element. These interactions are typically placed into three categories:
+
+- Cross-origin _writes_ are typically allowed. Examples are links, redirects and form submissions. Certain rarely used HTTP requests require [preflight](/ru/docs/HTTP/Access_control_CORS#Preflighted_requests "HTTP/Access_control_CORS#Preflighted_requests").
+- Cross-origin _embedding_ is typically allowed. Examples are listed below.
+- Cross-origin _reads_ are typically not allowed, but read access is often leaked by embedding. For example, you can read the width and height of an embedded image, the actions of an embedded script, or the [availability of an embedded resource](https://bugzilla.mozilla.org/show_bug.cgi?id=629094).
+
+Here are some examples of resources which may be embedded cross-origin:
+
+- JavaScript with `<script src="..."></script>`. Error messages for syntax errors are only available for same-origin scripts.
+- CSS with `<link rel="stylesheet" href="...">`. Due to the [relaxed syntax rules](http://scarybeastsecurity.blogspot.dk/2009/12/generic-cross-browser-cross-domain.html) of CSS, cross-origin CSS requires a correct `Content-Type` header. Restrictions vary by browser: [IE](http://msdn.microsoft.com/en-us/library/ie/gg622939%28v=vs.85%29.aspx), [Firefox](http://www.mozilla.org/security/announce/2010/mfsa2010-46.html), [Chrome](http://code.google.com/p/chromium/issues/detail?id=9877), [Safari](http://support.apple.com/kb/HT4070) (scroll down to CVE-2010-0051) and [Opera](http://www.opera.com/support/kb/view/943/).
+- Images with {{htmlelement("img")}}. Supported image formats include PNG, JPEG, GIF, BMP, SVG, ...
+- Media files with {{htmlelement("video")}} and {{htmlelement("audio")}}.
+- Plug-ins with [`<object>`](/ru/docs/HTML/Element/object "HTML/Element/object"), [`<embed>`](/ru/docs/HTML/Element/embed "HTML/Element/embed") and [`<applet>`](/ru/docs/HTML/Element/applet "HTML/Element/applet").
+- Fonts with [`@font-face`](/ru/docs/CSS/@font-face "CSS/@font-face"). Some browsers allow cross-origin fonts, others require same-origin fonts.
+- Anything with [`<frame>`](/ru/docs/HTML/Element/frame "HTML/Element/frame") and [`<iframe>`](/ru/docs/HTML/Element/iframe "HTML/Element/iframe"). A site can use the [`X-Frame-Options`](/en-US/docs/HTTP/X-Frame-Options "HTTP/X-Frame-Options") header to prevent this form of cross-origin interaction.
+
+### How to allow cross-origin access
+
+Use [CORS](/ru/docs/HTTP/Access_control_CORS "HTTP/Access_control_CORS") to allow cross-origin access.
+
+### How to block cross-origin access
+
+- To prevent cross-origin writes, check for an unguessable token in the request, known as a [Cross-Site Request Forgery (CSRF)](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29) token. You must prevent cross-origin reads of pages that know this token.
+- To prevent cross-origin reads of a resource, ensure that it is not embeddable. It is often necessary to prevent embedding because embedding a resource always leaks some information about it.
+- To prevent cross-origin embedding, ensure that your resource cannot be interpreted as one of the embeddable formats listed above. The browser does not respect the `Content-Type` in most cases. For example, if you point a `<script>` tag at an HTML document, the browser will try to parse the HTML as JavaScript. When your resource is not an entry point to your site, you can also use a CSRF token to prevent embedding.
+
+## Cross-origin script API access
+
+JavaScript APIs such as [`iframe.contentWindow`](/ru/docs/DOM/HTMLIFrameElement "DOM/HTMLIFrameElement"), {{domxref("window.parent")}}, {{domxref("window.open")}} and {{domxref("window.opener")}} allow documents to directly reference each other. When the two documents do not have the same origin, these references provide very limited access to [`Window`](/ru/docs/Web/API/Window) and [`Location`](/ru/docs/Web/API/Location) objects, as described in the next two sections.
+
+To communicate further between documents from different origins, use {{domxref("window.postMessage")}}.
+
+### Window
+
+Specification: <http://www.whatwg.org/specs/web-apps/current-work/multipage/browsers.html#security-window>.
+
+The following cross-origin access to `Window` properties is allowed:
+
+| Methods                                      |
+| -------------------------------------------- |
+| {{domxref("window.blur")}}         |
+| {{domxref("window.close")}}         |
+| {{domxref("window.focus")}}         |
+| {{domxref("window.postMessage")}} |
+
+| Attributes                               |             |
+| ---------------------------------------- | ----------- |
+| {{domxref("window.closed")}}     | Read only.  |
+| {{domxref("window.frames")}}     | Read only.  |
+| {{domxref("window.length")}}     | Read only.  |
+| {{domxref("window.location")}} | Read/write. |
+| {{domxref("window.opener")}}     | Read only.  |
+| {{domxref("window.parent")}}     | Read only.  |
+| {{domxref("window.self")}}     | Read only.  |
+| {{domxref("window.top")}}         | Read only.  |
+| {{domxref("window.window")}}     | Read only.  |
+
+Some browsers allow access to more properties than the specification allows.
+
+### Location
+
+Specification: <http://www.whatwg.org/specs/web-apps/current-work/multipage/browsers.html#security-location>.
+
+The following cross-origin access to `Location` properties is allowed:
+
+| Methods                                  |
+| ---------------------------------------- |
+| {{domxref("location.replace")}} |
+
+| Attributes                           |             |
+| ------------------------------------ | ----------- |
+| {{domxref("URLUtils.href")}} | Write only. |
+
+Some browsers allow access to more properties than the specification allows.
+
+## Cross-origin data storage access
+
+Access to data stored in the browser such as [localStorage](/ru/docs/Web/Guide/API/DOM/Storage) and [IndexedDB](/ru/docs/IndexedDB) are separated by origin. Each origin gets its own separate storage, and JavaScript in one origin cannot read from or write to the storage belonging to another origin.
+
+Cookies use a separate definition of origins. A page can set a cookie for its own domain or any parent domain, as long as the parent domain is not a public suffix. Firefox and Chrome use the [Public Suffix List](http://publicsuffix.org/) to determine if a domain is a public suffix. Internet Explorer uses its own internal method to determine if a domain is a public suffix. The browser will make a cookie available to the given domain including any sub-domains, no matter which protocol (HTTP/HTTPS) or port is used. When you set a cookie, you can limit its availability using the Domain, Path, Secure and Http-Only flags. When you read a cookie, you cannot see from where it was set. Even if you use only secure https connections, any cookie you see may have been set using an insecure connection.
+
+## See also
+
+- [Same-origin policy for file: URIs](/ru/docs/Same-origin_policy_for_file:_URIs "Same-origin policy for file: URIs")
+- [Same-Origin Policy at W3C](http://www.w3.org/Security/wiki/Same_Origin_Policy)
+
+## Original Document Information
+
+- Author(s): Jesse Ruderman
+
+{{QuickLinksWithSubpages("/en-US/docs/Web/Security")}}
diff --git a/files/ru/web/security/securing_your_site/index.md b/files/ru/web/security/securing_your_site/index.md
index ca80365738b8b2..2703a8f86b287c 100644
--- a/files/ru/web/security/securing_your_site/index.md
+++ b/files/ru/web/security/securing_your_site/index.md
@@ -10,44 +10,36 @@ tags:
   - Website Security
 translation_of: Web/Security/Securing_your_site
 ---
-<p>There are a number of things you can do to help secure your site. This article offers an assortment of suggestions, as well as links to other articles providing more useful information.</p>
-
-<div class="note"><strong>Note:</strong> This article is a work in progress, and is neither complete nor does following its suggestions guarantee your site will be fully secure.</div>
-
-<h2 id="User_information_security">User information security</h2>
-
-<dl>
- <dt><a href="/en/How_to_Turn_Off_Form_Autocompletion" title="en/How to Turn Off Form Autocompletion">How to turn off form autocompletion</a></dt>
- <dd>Form fields support autocompletion in Gecko; that is, their values can be remembered and automatically brought back the next time the user visits your site. For certain types of data, you may wish to disable this feature.</dd>
- <dt><a href="/en/CSS/Privacy_and_the_:visited_selector" title="en/CSS/Privacy and the :visited selector">Privacy and the :visited selector</a></dt>
- <dd>This article discusses changes made to the <code>getComputedStyle()</code> method that eliminates the ability for malicious sites to figure out the user's browsing history.</dd>
- <dt><a href="https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet">Hash passwords using a secure algorithm</a> (OWASP)</dt>
- <dd>Storing passwords in plain text can lead to attackers knowing and leaking the exact password of your site's users, potentially putting the users at risk. The same issues can arise if you use an old or insecure algorithm for hashing (such as md5). You should use a password-specific hashing algorithm (such as Argon2, PBKDF2, scrypt or bcrypt) instead of message digest algorithms (such as md5 and sha). This article showcases best practices to use when storing passwords.</dd>
-</dl>
-
-<h2 id="Content_security">Content security</h2>
-
-<dl>
- <dt><a href="/en/Properly_Configuring_Server_MIME_Types" title="en/Properly Configuring Server MIME Types">Properly configuring server MIME types</a></dt>
- <dd>There are several ways incorrect MIME types can cause potential security problems with your site. This article explains some of those and shows how to configure your server to serve files with the correct MIME types.</dd>
- <dt><a href="/en/Security/HTTP_Strict_Transport_Security" title="en/Security/HTTP Strict Transport Security">HTTP Strict Transport Security</a></dt>
- <dd>The <code>Strict-Transport-Security:</code> <a href="/en/HTTP" title="en/HTTP">HTTP</a> header lets a website specify that it may only be accessed using HTTPS.</dd>
- <dt><a href="/en-US/docs/Web/HTTP/CORS" title="En/HTTP access control">HTTP access control</a></dt>
- <dd>The Cross-Origin Resource Sharing standard provides a way to specify what content may be loaded from other domains. You can use this to prevent your site from being used improperly; in addition, you can use it to establish resources that other sites are expressly permitted to use.</dd>
- <dt><a href="/en/Security/CSP">Content Security Policy</a></dt>
- <dd>An added layer of security that helps to detect and mitigate certain types of attacks, including {{Glossary("Cross-site_scripting", "Cross Site Scripting (XSS)")}} and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. Code is executed by the victims and lets the attackers bypass access controls and impersonate users. According to the Open Web Application Security Project, XSS was the <a class="external external-icon" href="https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf" rel="noopener">seventh most common Web app vulnerability</a> in 2017.</dd>
- <dt><a href="/en-US/docs/Web/HTTP/X-Frame-Options">The X-Frame-Options response header</a></dt>
- <dd>
- <p>The <code>X-Frame-Options:</code> <a href="/en/HTTP" title="en/HTTP">HTTP</a> response header can be used to indicate whether or not a browser should be allowed to render a page in a {{ HTMLElement("frame") }}. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.</p>
- </dd>
- <dt>Securing Your Site using Htaccess</dt>
- <dd>It is the best way to secure your site using the .htaccess file. You can blacklist IPs, restrict access to certain areas of website, protect different files, protect against image hotlinking, and a lot more.</dd>
-</dl>
-
-<h2 id="See_also">See also</h2>
-
-<ul>
- <li><a class="external" href="https://www.owasp.org/">Open Web Application Security Project (OWASP)</a></li>
-</ul>
-
-<div>{{QuickLinksWithSubpages("/en-US/docs/Web/Security")}}</div>
+There are a number of things you can do to help secure your site. This article offers an assortment of suggestions, as well as links to other articles providing more useful information.
+
+> **Примечание:** This article is a work in progress, and is neither complete nor does following its suggestions guarantee your site will be fully secure.
+
+## User information security
+
+- [How to turn off form autocompletion](/en/How_to_Turn_Off_Form_Autocompletion "en/How to Turn Off Form Autocompletion")
+  - : Form fields support autocompletion in Gecko; that is, their values can be remembered and automatically brought back the next time the user visits your site. For certain types of data, you may wish to disable this feature.
+- [Privacy and the :visited selector](/en/CSS/Privacy_and_the_:visited_selector "en/CSS/Privacy and the :visited selector")
+  - : This article discusses changes made to the `getComputedStyle()` method that eliminates the ability for malicious sites to figure out the user's browsing history.
+- [Hash passwords using a secure algorithm](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) (OWASP)
+  - : Storing passwords in plain text can lead to attackers knowing and leaking the exact password of your site's users, potentially putting the users at risk. The same issues can arise if you use an old or insecure algorithm for hashing (such as md5). You should use a password-specific hashing algorithm (such as Argon2, PBKDF2, scrypt or bcrypt) instead of message digest algorithms (such as md5 and sha). This article showcases best practices to use when storing passwords.
+
+## Content security
+
+- [Properly configuring server MIME types](/en/Properly_Configuring_Server_MIME_Types "en/Properly Configuring Server MIME Types")
+  - : There are several ways incorrect MIME types can cause potential security problems with your site. This article explains some of those and shows how to configure your server to serve files with the correct MIME types.
+- [HTTP Strict Transport Security](/en/Security/HTTP_Strict_Transport_Security "en/Security/HTTP Strict Transport Security")
+  - : The `Strict-Transport-Security:` [HTTP](/en/HTTP "en/HTTP") header lets a website specify that it may only be accessed using HTTPS.
+- [HTTP access control](/ru/docs/Web/HTTP/CORS "En/HTTP access control")
+  - : The Cross-Origin Resource Sharing standard provides a way to specify what content may be loaded from other domains. You can use this to prevent your site from being used improperly; in addition, you can use it to establish resources that other sites are expressly permitted to use.
+- [Content Security Policy](/en/Security/CSP)
+  - : An added layer of security that helps to detect and mitigate certain types of attacks, including {{Glossary("Cross-site_scripting", "Cross Site Scripting (XSS)")}} and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. Code is executed by the victims and lets the attackers bypass access controls and impersonate users. According to the Open Web Application Security Project, XSS was the [seventh most common Web app vulnerability](https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf) in 2017.
+- [The X-Frame-Options response header](/ru/docs/Web/HTTP/X-Frame-Options)
+  - : The `X-Frame-Options:` [HTTP](/en/HTTP "en/HTTP") response header can be used to indicate whether or not a browser should be allowed to render a page in a {{ HTMLElement("frame") }}. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
+- Securing Your Site using Htaccess
+  - : It is the best way to secure your site using the .htaccess file. You can blacklist IPs, restrict access to certain areas of website, protect different files, protect against image hotlinking, and a lot more.
+
+## See also
+
+- [Open Web Application Security Project (OWASP)](https://www.owasp.org/)
+
+{{QuickLinksWithSubpages("/en-US/docs/Web/Security")}}
diff --git a/files/ru/web/security/securing_your_site/turning_off_form_autocompletion/index.md b/files/ru/web/security/securing_your_site/turning_off_form_autocompletion/index.md
index ab942b6e0786b6..3afb494bbcd34d 100644
--- a/files/ru/web/security/securing_your_site/turning_off_form_autocompletion/index.md
+++ b/files/ru/web/security/securing_your_site/turning_off_form_autocompletion/index.md
@@ -3,68 +3,70 @@ title: How to turn off form autocompletion
 slug: Web/Security/Securing_your_site/Turning_off_form_autocompletion
 translation_of: Web/Security/Securing_your_site/Turning_off_form_autocompletion
 ---
-<p><span class="seoSummary">В этой статье объясняется как можно отключить автозаполнение полей на сайте.</span></p>
+В этой статье объясняется как можно отключить автозаполнение полей на сайте.
 
-<p>По умолчанию браузеры запоминают информацию, которую пользователи отправляют через {{HTMLElement("input")}} поля на сайтах. Это позволяет браузеру предлагать варианты для автодополнения (то есть предлагать возможные дополнения для полей, в которые пользователь начал вводить данные) или автозаполнение (то есть предварительно заполнять определённые поля при загрузке).</p>
+По умолчанию браузеры запоминают информацию, которую пользователи отправляют через {{HTMLElement("input")}} поля на сайтах. Это позволяет браузеру предлагать варианты для автодополнения (то есть предлагать возможные дополнения для полей, в которые пользователь начал вводить данные) или автозаполнение (то есть предварительно заполнять определённые поля при загрузке).
 
-<p>Эти функции обычно включены по умолчанию, но они могут вызвать проблемы конфиденциальности пользователей, поэтому браузеры могут позволить отключать их. Однако некоторые данные, представленные в формах, либо не будут полезны в будущем (например, одноразовый пин-код), либо содержат конфиденциальную информацию (например, уникальный правительственный идентификатор или код безопасности кредитной карты). Как автор сайта, вы можете предпочесть, чтобы браузер не запоминал значения для таких полей, даже если в браузере включена функция автозаполнения.</p>
+Эти функции обычно включены по умолчанию, но они могут вызвать проблемы конфиденциальности пользователей, поэтому браузеры могут позволить отключать их. Однако некоторые данные, представленные в формах, либо не будут полезны в будущем (например, одноразовый пин-код), либо содержат конфиденциальную информацию (например, уникальный правительственный идентификатор или код безопасности кредитной карты). Как автор сайта, вы можете предпочесть, чтобы браузер не запоминал значения для таких полей, даже если в браузере включена функция автозаполнения.
 
-<p>It is important to know that if you turn off autocomplete, you are <strong>breaking</strong> the rule <a href="https://www.w3.org/WAI/WCAG21/Understanding/identify-input-purpose.html">1.3.5: Identify Input Purpose in WCAG 2.1</a>. If you are making a website that should follow WCAG, you should use autocomplete with autofill.</p>
+It is important to know that if you turn off autocomplete, you are **breaking** the rule [1.3.5: Identify Input Purpose in WCAG 2.1](https://www.w3.org/WAI/WCAG21/Understanding/identify-input-purpose.html). If you are making a website that should follow WCAG, you should use autocomplete with autofill.
 
-<h2 id="Disabling_autocompletion">Disabling autocompletion</h2>
+## Disabling autocompletion
 
-<p>To disable autocompletion in forms, you can set the <code><a href="/en-US/docs/Web/HTML/Attributes/autocomplete">autocomplete</a></code> attribute to "off":</p>
+To disable autocompletion in forms, you can set the [`autocomplete`](/en-US/docs/Web/HTML/Attributes/autocomplete) attribute to "off":
 
-<pre class="brush: html">autocomplete="off"</pre>
+```html
+autocomplete="off"
+```
 
-<p>You can do this either for an entire form, or for specific input elements in a form:</p>
+You can do this either for an entire form, or for specific input elements in a form:
 
-<pre class="brush: html">&lt;form method="post" action="/form" autocomplete="off"&gt;
+```html
+<form method="post" action="/form" autocomplete="off">
 […]
-&lt;/form&gt;</pre>
+</form>
+```
 
-<pre class="brush: html">&lt;form method="post" action="/form"&gt;
+```html
+<form method="post" action="/form">
   […]
-  &lt;div&gt;
-    &lt;label for="cc"&gt;Credit card:&lt;/label&gt;
-    &lt;input type="text" id="cc" name="cc" autocomplete="off"&gt;
-  &lt;/div&gt;
-&lt;/form&gt;</pre>
+  <div>
+    <label for="cc">Credit card:</label>
+    <input type="text" id="cc" name="cc" autocomplete="off">
+  </div>
+</form>
+```
 
-<p>Setting <code>autocomplete="off"</code> on fields has two effects:</p>
+Setting `autocomplete="off"` on fields has two effects:
 
-<ul>
- <li>It tells the browser not to save data inputted by the user for later autocompletion on similar forms, though heuristics for complying vary by browser.</li>
- <li>It stops the browser from caching form data in the session history. When form data is cached in session history, the information filled in by the user is shown in the case where the user has submitted the form and clicked the Back button to go back to the original form page.</li>
-</ul>
+- It tells the browser not to save data inputted by the user for later autocompletion on similar forms, though heuristics for complying vary by browser.
+- It stops the browser from caching form data in the session history. When form data is cached in session history, the information filled in by the user is shown in the case where the user has submitted the form and clicked the Back button to go back to the original form page.
 
-<p>If a browser keeps on making suggestions even after setting autocomplete to off, then you have to change the name attribute of the input element.</p>
+If a browser keeps on making suggestions even after setting autocomplete to off, then you have to change the name attribute of the input element.
 
-<h2 id="The_autocomplete_attribute_and_login_fields">The autocomplete attribute and login fields</h2>
+## The autocomplete attribute and login fields
 
-<p>Modern browsers implement integrated password management: when the user enters a username and password for a site, the browser offers to remember it for the user. When the user visits the site again, the browser autofills the login fields with the stored values.</p>
+Modern browsers implement integrated password management: when the user enters a username and password for a site, the browser offers to remember it for the user. When the user visits the site again, the browser autofills the login fields with the stored values.
 
-<p>Additionally, the browser enables the user to choose a master password that the browser will use to encrypt stored login details.</p>
+Additionally, the browser enables the user to choose a master password that the browser will use to encrypt stored login details.
 
-<p>Even without a master password, in-browser password management is generally seen as a net gain for security. Since users do not have to remember passwords that the browser stores for them, they are able to choose stronger passwords than they would otherwise.</p>
+Even without a master password, in-browser password management is generally seen as a net gain for security. Since users do not have to remember passwords that the browser stores for them, they are able to choose stronger passwords than they would otherwise.
 
-<p>For this reason, many modern browsers do not support <code>autocomplete="off"</code> for login fields:</p>
+For this reason, many modern browsers do not support `autocomplete="off"` for login fields:
 
-<ul>
- <li>If a site sets <code>autocomplete="off"</code> for a {{HTMLElement("form")}}, and the form includes username and password input fields, then the browser still offers to remember this login, and if the user agrees, the browser will autofill those fields the next time the user visits the page.</li>
- <li>If a site sets <code>autocomplete="off"</code> for username and password {{HTMLElement("input")}} fields, then the browser still offers to remember this login, and if the user agrees, the browser will autofill those fields the next time the user visits the page.</li>
-</ul>
+- If a site sets `autocomplete="off"` for a {{HTMLElement("form")}}, and the form includes username and password input fields, then the browser still offers to remember this login, and if the user agrees, the browser will autofill those fields the next time the user visits the page.
+- If a site sets `autocomplete="off"` for username and password {{HTMLElement("input")}} fields, then the browser still offers to remember this login, and if the user agrees, the browser will autofill those fields the next time the user visits the page.
 
-<p>This is the behavior in Firefox (since version 38), Google Chrome (since 34), and Internet Explorer (since version 11).</p>
+This is the behavior in Firefox (since version 38), Google Chrome (since 34), and Internet Explorer (since version 11).
 
-<h3 id="Preventing_autofilling_with_autocompletenew-password">Preventing autofilling with autocomplete="new-password"</h3>
+### Preventing autofilling with autocomplete="new-password"
 
-<p>If you are defining a user management page where a user can specify a new password for another person, and therefore you want to prevent autofilling of password fields, you can use <code>autocomplete="new-password"</code>.</p>
+If you are defining a user management page where a user can specify a new password for another person, and therefore you want to prevent autofilling of password fields, you can use `autocomplete="new-password"`.
 
-<p>This is a hint, which browsers are not required to comply with. However modern browsers have stopped autofilling <code>&lt;input&gt;</code> elements with <code>autocomplete="new-password"</code> for this very reason. For example, Firefox version 67 (see {{bug(1119063)}}) stopped autofilling in this case; however, Firefox 70 (see {{bug(1565407)}}) can suggest securely-generated passwords, but does not autofill a saved password. See the <a href="/en-US/docs/Web/HTML/Attributes/autocomplete#Browser_compatibility"><code>autocomplete</code> compat table</a> for more details.</p>
+This is a hint, which browsers are not required to comply with. However modern browsers have stopped autofilling `<input>` elements with `autocomplete="new-password"` for this very reason. For example, Firefox version 67 (see {{bug(1119063)}}) stopped autofilling in this case; however, Firefox 70 (see {{bug(1565407)}}) can suggest securely-generated passwords, but does not autofill a saved password. See the [`autocomplete` compat table](/ru/docs/Web/HTML/Attributes/autocomplete#Browser_compatibility) for more details.
 
-<h2 id="Tools_for_disabling_autocompletion">Tools for disabling autocompletion</h2>
+## Tools for disabling autocompletion
 
-<p>The <a href="https://terrylinooo.github.io/jquery.disableAutoFill/">jquery.disableAutoFill</a> plugin randomizes an input's <code>name</code> attribute by default. When the form is submitted, the plugin restores the original name. This prevents auto-completion for all browsers (includes third-party auto-completion extensions) but doesn't necessarily help with login fields.</p>
+The [jquery.disableAutoFill](https://terrylinooo.github.io/jquery.disableAutoFill/) plugin randomizes an input's `name` attribute by default. When the form is submitted, the plugin restores the original name. This prevents auto-completion for all browsers (includes third-party auto-completion extensions) but doesn't necessarily help with login fields.
 
-<p>{{QuickLinksWithSubpages("/en-US/docs/Web/Security")}}</p>
+{{QuickLinksWithSubpages("/en-US/docs/Web/Security")}}

From 2854c5e9b6c0fd0d49b3cfb6c5786c7cff100753 Mon Sep 17 00:00:00 2001
From: Sasha Sushko <sushko@outlook.com>
Date: Sun, 2 Oct 2022 13:43:33 +0500
Subject: [PATCH 3/3] Update files/ru/web/security/same-origin_policy/index.md

---
 files/ru/web/security/same-origin_policy/index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/files/ru/web/security/same-origin_policy/index.md b/files/ru/web/security/same-origin_policy/index.md
index 57d8a3d8dd1d70..bce12c9bc4021f 100644
--- a/files/ru/web/security/same-origin_policy/index.md
+++ b/files/ru/web/security/same-origin_policy/index.md
@@ -52,7 +52,7 @@ document.domain = "company.com";
 
 Номер порта проверяется браузером отдельно. Любой вызов `document.domain`, включающий `document.domain = document.domain`, заменяет номер порта, устанавливая его в значение `null`. Следовательно, **невозможно** вызов `company.com:8080` обозначить `company.com` одной лишь установкой`document.domain = "company.com"` в начале. Он должен быть установлен в обоих случаях и номер портов в этих случаях должны равняться значению `null`.
 
-> **Примечание:** **Замечание:** Когда используется `document.domain` для разрешения поддомена для родительского доступа к нему, вы должны установить `document.domain` в _такое же значение,_ как в родительском домене, так и в поддомене. Это необходимо, даже если при этом просто восстанавливается исходное значение родительского домена. Несоблюдение этого правила может привести к ошибкам разрешений.
+> **Примечание:** Когда используется `document.domain` для разрешения поддомена для родительского доступа к нему, вы должны установить `document.domain` в _такое же значение,_ как в родительском домене, так и в поддомене. Это необходимо, даже если при этом просто восстанавливается исходное значение родительского домена. Несоблюдение этого правила может привести к ошибкам разрешений.
 
 ## Cross-origin network access
 

URL	Outcome	Reason
`http://store.company.com/dir2/other.html`	Success
`http://store.company.com/dir/inner/another.html`	Success
`https://store.company.com/secure.html`	Failure	Different protocol
`http://store.company.com:81/dir/etc.html`	Failure	Different port
`http://news.company.com/dir/other.html`	Failure	Different host
Attributes
{{domxref("window.closed")}}	Read only.
{{domxref("window.frames")}}	Read only.
{{domxref("window.length")}}	Read only.
{{domxref("window.location")}}	Read/write.
{{domxref("window.opener")}}	Read only.
{{domxref("window.parent")}}	Read only.
{{domxref("window.self")}}	Read only.
{{domxref("window.top")}}	Read only.
{{domxref("window.window")}}	Read only.