Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

core(network-request): consider HSTS redirects secure #12681

Merged
merged 1 commit into from
Jun 22, 2021
Merged

core(network-request): consider HSTS redirects secure #12681

merged 1 commit into from
Jun 22, 2021

Conversation

patrickhulce
Copy link
Collaborator

Summary
Often the HTTPS audit fails because the original URL audited was http, so even if it redirects then you still have the original redirect request over HTTP. We can kinda explain why this is desirable (though I'm not really sold it's worth the annoyance), but it's definitely not the case in HSTS internal redirects that happen in the browser, which is the whole point of HSTS. This applies to entire TLDs in some cases (.app/.dev), so we should handle those cases appropriately.

Related Issues/PRs
fixes #12674

@patrickhulce patrickhulce requested a review from a team as a code owner June 22, 2021 17:29
@patrickhulce patrickhulce requested review from adamraine and removed request for a team June 22, 2021 17:29
@google-cla google-cla bot added the cla: yes label Jun 22, 2021
brendankenny
brendankenny reviewed Jun 22, 2021
View reviewed changes
lighthouse-core/lib/network-request.js
if (!destination) return false;

const reasonHeader = record.responseHeaders
.find(header => header.name === 'Non-Authoritative-Reason');
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ha, I wonder how this header ended up with this name

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.2.4

non-authorative because the info (the redirect) comes from a third party (hsts list in the browser), not the intended origin

@patrickhulce patrickhulce merged commit 6de5b43 into master Jun 22, 2021
@patrickhulce patrickhulce deleted the hsts_secure branch June 22, 2021 18:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@connorjclark connorjclark connorjclark left review comments

@brendankenny brendankenny brendankenny left review comments

@adamraine adamraine adamraine approved these changes

Assignees

@adamraine adamraine

Labels
cla: yes waiting4reviewer
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Lighthouse doesn't automatically treat .app or .dev TLDs as HTTPS
5 participants
@patrickhulce @brendankenny @connorjclark @adamraine @devtools-bot