core(is-on-https): add mixed-content resolution #10975
Conversation
| } | ||
| "score": null, | ||
| "scoreDisplayMode": "error", | ||
| "errorMessage": "Required InspectorIssues gatherer did not run." |
There was a problem hiding this comment.
hmmm
should we use optionalArtifacts again?
seems good.
but also we can add a stub to the artifacts fixtures
There was a problem hiding this comment.
No, I'll just fix the sample artifacts.
don't think optional artifacts fits here. it's meant to allow flexibility in which gatherers can run today, based only on what gatherers are in the config. since InspectorIssues is in the default config, it won't benefit.
| /** @type {LH.Audit.Details.Table['headings']} */ | ||
| const headings = [ | ||
| {key: 'url', itemType: 'url', text: str_(UIStrings.columnInsecureURL)}, | ||
| ]; | ||
|
|
||
| // Mixed-content issues aren't emitted until M84. | ||
| if (artifacts.InspectorIssues.mixedContent.length) { | ||
| headings.push( |
There was a problem hiding this comment.
so does anyone hate this
There was a problem hiding this comment.
so does anyone hate this
seems fine for < m84, but it is a little weird after that to have an optional column.
I assume if there are items caught by the HTTPS.isSecureRecord filter, they should (almost?) always have a mixed Content issue associated with them. Would it be terrible to give every entry a default resolution: undefined then, since they'll (almost?) always have one anyways ≥ m84?
There was a problem hiding this comment.
That's my expectation.
Also, I'll file an issue to follow up and remove the isSecureRecord part completely once M84 lands.
Would it be terrible to give every entry a default resolution: undefined then
sure.
There was a problem hiding this comment.
Also, I'll file an issue to follow up and remove the isSecureRecord part completely make the header always added once M84 lands.
There was a problem hiding this comment.
cc #10976 some other m84 stuff.
There was a problem hiding this comment.
bump on
I'll file an issue to follow up and make the header always added once M84 lands.
so it's not lost in the middle of this review.
| /** @type {LH.Audit.Details.Table['headings']} */ | ||
| const headings = [ | ||
| {key: 'url', itemType: 'url', text: str_(UIStrings.columnInsecureURL)}, | ||
| ]; | ||
|
|
||
| // Mixed-content issues aren't emitted until M84. | ||
| if (artifacts.InspectorIssues.mixedContent.length) { | ||
| headings.push( |
There was a problem hiding this comment.
so does anyone hate this
seems fine for < m84, but it is a little weird after that to have an optional column.
I assume if there are items caught by the HTTPS.isSecureRecord filter, they should (almost?) always have a mixed Content issue associated with them. Would it be terrible to give every entry a default resolution: undefined then, since they'll (almost?) always have one anyways ≥ m84?
| @@ -42,6 +43,7 @@ describe('Security: HTTPS audit', () => { | |||
| assert.strictEqual(result.score, 0); | |||
| expect(result.displayValue).toBeDisplayString('1 insecure request found'); | |||
| assert.deepEqual(result.extendedInfo.value[0], {url: 'http://insecure.com/image.jpeg'}); | |||
There was a problem hiding this comment.
result.extendedInfo
guh we really have to land #10779 :)
| expect(result.details.items[0]).toMatchObject({url: 'http://localhost/image.jpeg'}); | ||
| expect(result.details.items[0].resolution).toBeDisplayString('Blocked'); |
There was a problem hiding this comment.
super-nit: can be fancy and do
| expect(result.details.items[0]).toMatchObject({url: 'http://localhost/image.jpeg'}); | |
| expect(result.details.items[0].resolution).toBeDisplayString('Blocked'); | |
| expect(result.details.items[0]).toMatchObject({ | |
| url: 'http://localhost/image.jpeg', | |
| resolution: expect.toBeDisplayString('Blocked'), | |
| }); |
(or it could be s/toMatchObject/toEqual if both are there?)
There was a problem hiding this comment.
oh i missed the fancy
neat
|
oh, https://web.dev/is-on-https needs updating as well. Maybe there are devtools docs we can utilize for the resolution types? |
|
the http jquery script doesn't emit a mixed-content issue ... I guess because the domain is This audit currently checks if the resource is on secure domain, but shouldn't we check if the finalURL is? if on localhost shouldn't this audit always pass? |
good question. It's possible this is intentional (you don't get penalized for loading resources from localhost because what can you do about that during local development, but you do get penalized developing in localhost but loading resources that will be insecure once you deploy your site into production), but I don't remember. @paulirish @patrickhulce? If it is intentional we should make sure to write it down this time :) |
I don't understand these questions and I'm not sure what we would document being intentional so I'm guessing that things I thought were unambiguous about this audit aren't actually shared by anyone else 😆 I always thought that the |
No, I think that's it :) It does fall out as a natural consequence when thought about it that way, I guess it's just coming up now because the MixedContentIssues don't think that it's an issue. |
|
Ok, thanks for framing the audit patrick. I think the issue was the assumption that mixed content issues would 1:1 replace this audit. That is clearly not the case. So we now know that there are items we want to surface that wont have a mixed content issue. For |
| /** Label for a column in a data table; entries in the column will be how the browser handled insecure (non-HTTPS) network requests. */ | ||
| columnResolution: 'Resolution', | ||
| /** Value for the resolution column in a data table; denotes that the insecure URL was allowed by the browser. */ | ||
| allowed: 'Allowed', |
There was a problem hiding this comment.
wording wise its odd that the first column is "URL" and second column is "Resolution"
The resolution doesn't apply to that URL, but to the network request of that URL.
Adding "request" here I think helps both this and brendan's concern.
"Request allowed/blocked" ? "Request allowed with warning"?
btw here's an example of a warning case (insecure form submission): https://source.chromium.org/chromium/chromium/src/+/master:third_party/blink/renderer/core/loader/mixed_content_checker.cc;l=731-747;drc=5ba77dad98cf94506cf3700f9e12fcdc65fadfb6
"Request automatically upgraded to HTTPS"
| /** @type {LH.Audit.Details.Table['headings']} */ | ||
| const headings = [ | ||
| {key: 'url', itemType: 'url', text: str_(UIStrings.columnInsecureURL)}, | ||
| ]; | ||
|
|
||
| // Mixed-content issues aren't emitted until M84. | ||
| if (artifacts.InspectorIssues.mixedContent.length) { | ||
| headings.push( |
There was a problem hiding this comment.
cc #10976 some other m84 stuff.
| @@ -33,7 +33,9 @@ class InspectorIssues extends Gatherer { | |||
| async beforePass(passContext) { | |||
| const driver = passContext.driver; | |||
| driver.on('Audits.issueAdded', this._onIssueAdded); | |||
| // try { | |||
There was a problem hiding this comment.
we can remove these all now tho?
There was a problem hiding this comment.
It breaks appveyor rn :/
but yeah once #10976 lands we can set a min chrome for the is-on-https expectation.
| await driver.sendCommand('Audits.enable'); | ||
| try { | ||
| await driver.sendCommand('Audits.enable'); | ||
| } catch (_) {} // Fails if Chrome is old. |
There was a problem hiding this comment.
"Fails if Chrome is older than mXX"
not a huge deal but my brain associates "old"/age with higher numbers, but here, older means lower. 😖
maybe we just stick to if Chrome is < m82 or w/e
There was a problem hiding this comment.
LGTM!
maybe add a smoke test entry? dbw has a "resolution": "Allowed" for its 1 item
| /** Label for a column in a data table; entries in the column will be how the browser handled insecure (non-HTTPS) network requests. */ | ||
| columnResolution: 'Resolution', | ||
| /** Value for the resolution column in a data table; denotes that the insecure URL was allowed by the browser. */ | ||
| allowed: 'Allowed', |
There was a problem hiding this comment.
I still think Request Resolution: 'Allowed' still raises "why is Lighthouse marking it as a problem if it was allowed?" but it seems fine to wait to see if there's any actual user confusion before coming up with something new :)
I only raise it because if it does come up in the future, I don't want to see us saying "oh, well it should just be allowed and not marked as a failure, then" and instead keep following @patrickhulce's reasoning in #10975 (comment).
| /** @type {LH.Audit.Details.Table['headings']} */ | ||
| const headings = [ | ||
| {key: 'url', itemType: 'url', text: str_(UIStrings.columnInsecureURL)}, | ||
| ]; | ||
|
|
||
| // Mixed-content issues aren't emitted until M84. | ||
| if (artifacts.InspectorIssues.mixedContent.length) { | ||
| headings.push( |
There was a problem hiding this comment.
bump on
I'll file an issue to follow up and make the header always added once M84 lands.
so it's not lost in the middle of this review.
| // (localhost is a secure context), but we still identify `http` requests | ||
| // as an "Allowed" insecure URL. | ||
| for (const item of items) { | ||
| if (!item.resolution) item.resolution = UIStrings.allowed; |
There was a problem hiding this comment.
| if (!item.resolution) item.resolution = UIStrings.allowed; | |
| if (!item.resolution) item.resolution = str_(UIStrings.allowed); |
The mixed-content Issue won't be emitted until M84 (next month), so this new column is added as a progressive enhancement.