-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
core: INSECURE_DOCUMENT_REQUEST errors still return lhr #6608
Changes from 5 commits
4c658fb
eb7f5a3
62787ee
3577e0c
2c0b251
e22d9ca
9e54f1b
059d95e
51e4f05
1ce9144
4bd59e4
53e00a7
1b6e678
dde5b95
4807cf0
2d505e8
1e1fc8a
0a0e8e0
b863fbd
da6fd9c
3c54326
ab0582b
f272978
e6a659a
271a80a
8bbcbc4
04b1f64
1da3b01
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -81,13 +81,6 @@ class Driver { | |
this._eventEmitter.emit(event.method, event.params); | ||
}); | ||
|
||
/** | ||
* Used for monitoring network status events during gotoURL. | ||
* @type {?LH.Crdp.Security.SecurityStateChangedEvent} | ||
* @private | ||
*/ | ||
this._lastSecurityState = null; | ||
|
||
/** | ||
* @type {number} | ||
* @private | ||
|
@@ -512,6 +505,53 @@ class Driver { | |
}); | ||
} | ||
|
||
/** | ||
* Rejects if the security state is insecure. | ||
* @return {{promise: Promise<void>, cancel: function(): void}} | ||
* @private | ||
*/ | ||
_waitForSecurityCheck() { | ||
/** @type {(() => void)} */ | ||
let cancel = () => { | ||
throw new Error('_waitForSecurityCheck.cancel() called before it was defined'); | ||
}; | ||
|
||
const promise = new Promise(async (resolve, reject) => { | ||
/** | ||
* @param {LH.Crdp.Security.SecurityStateChangedEvent} event | ||
*/ | ||
const securityStateChangedListener = ({securityState, explanations}) => { | ||
this.sendCommand('Security.disable'); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. do we need this in a promise chain like @exterkamp's cleanup? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Do you mean adding an There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. or an empty |
||
if (securityState === 'insecure') { | ||
const insecureDescriptions = explanations | ||
.filter(exp => exp.securityState === 'insecure') | ||
.map(exp => exp.description); | ||
const err = new LHError(LHError.errors.INSECURE_DOCUMENT_REQUEST, { | ||
securityMessages: insecureDescriptions.join(' '), | ||
}); | ||
reject(err); | ||
} else { | ||
resolve(); | ||
} | ||
}; | ||
|
||
// wait for Security.enable to resolve, so we skip whatever state change | ||
// events are in the pipeline | ||
await this.sendCommand('Security.enable'); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I can't really explain it, but this only works when There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. do we have some tests/a test that can capture the cases that fail without this await but succeed with? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. this also seems a bit like it has the potential to race :/ There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The test would basically be 1) go to https://expired.badssl.com/ (or load page with bad cert) 2) assert LH does not hang / exercise the full page load time out (so, within 5s??) would that be a good candidate for a smoke test? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. OK, it looks like it starts with the "neutral" security state (about: has no meaningful value for security) and then either goes to "secure" or "insecure", depending on the target page. So I can tweak the logic to listen for state changes until "not neutral" comes up There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
sounds great to me! There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Just There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If in offline mode, the security state is always "neutral" ... This is me running the pwa smoke test. First two security states are the online pass (neutral -> secure), last three(?) are the offline pass (neutral -> neutral... but with explanations) But in each case, the first state we care about is the first one with non-empty explanations. So maybe use that? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Which makes sense... if there's no explanation for a security state, why value it? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. For some reason, some offline urls gives three empty, neutral states in the offline pass. Perhaps better to just disable this check for the offline pass. |
||
this.once('Security.securityStateChanged', securityStateChangedListener); | ||
|
||
cancel = () => { | ||
this.off('Security.securityStateChanged', securityStateChangedListener); | ||
this.sendCommand('Security.disable'); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. same here re: floating promise |
||
}; | ||
}); | ||
|
||
return { | ||
promise, | ||
cancel, | ||
}; | ||
} | ||
|
||
/** | ||
* Returns a promise that resolve when a frame has been navigated. | ||
* Used for detecting that our about:blank reset has been completed. | ||
|
@@ -741,6 +781,9 @@ class Driver { | |
/** @type {NodeJS.Timer|undefined} */ | ||
let maxTimeoutHandle; | ||
|
||
|
||
// Listener for security state change. Rejects if security issue is found. | ||
const waitForSecurityCheck = this._waitForSecurityCheck(); | ||
// Listener for onload. Resolves pauseAfterLoadMs ms after load. | ||
const waitForLoadEvent = this._waitForLoadEvent(pauseAfterLoadMs); | ||
// Network listener. Resolves when the network has been idle for networkQuietThresholdMs. | ||
|
@@ -752,6 +795,7 @@ class Driver { | |
// Wait for both load promises. Resolves on cleanup function the clears load | ||
// timeout timer. | ||
const loadPromise = Promise.all([ | ||
waitForSecurityCheck.promise, | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. this makes me a tad more nervous I feel like we need some beefier commenting on why this is OK, intuitively I wouldn't expect a putting it directly in the chain of waiting for load just makes it a bit high stakes There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think it'd only work if the Also, isn't this method always called from "about:" -> "target url"? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
That's kinda what I'm talking about, just explaining why this is always going to be OK :) There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ah, OK I misunderstood. How's the comment I added? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. nice! maybe we can add a sentence about how it I'm thinking something like // Listener that resolves or rejects on the first security state change.
// If the first change is secure, we resolve.
// If the first change is insecure, we reject.
// We can expect the security state to always change because this function
// is only used to move about:blank (neutral) -> the target url (something not neutral). Now that I'm thinking about it maybe it belongs in the |
||
waitForLoadEvent.promise, | ||
waitForNetworkIdle.promise, | ||
]).then(() => { | ||
|
@@ -771,6 +815,7 @@ class Driver { | |
}).then(_ => { | ||
return async () => { | ||
log.warn('Driver', 'Timed out waiting for page load. Checking if page is hung...'); | ||
waitForSecurityCheck.cancel(); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think it'd be easier to reason about all this canceling if each cancelable promise stores state about if it's been canceled yet and avoids doing it more than once. Then we could judiciously use There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yeah this is ripe for cleanup, but this new parallel style will make it so much easier now, thank you!! There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. FWIW, I don't think anything would be harmed today if you threw this into There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. would also have to remove the self-cancel that I'll try the cancel state thing first There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. hang on before you do that I was saying I don't think it would matter if we called There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. OK, LMK if that is better or worse |
||
waitForLoadEvent.cancel(); | ||
waitForNetworkIdle.cancel(); | ||
waitForCPUIdle && waitForCPUIdle.cancel(); | ||
|
@@ -959,26 +1004,6 @@ class Driver { | |
return result.body; | ||
} | ||
|
||
async listenForSecurityStateChanges() { | ||
this.on('Security.securityStateChanged', state => { | ||
this._lastSecurityState = state; | ||
}); | ||
await this.sendCommand('Security.enable'); | ||
} | ||
|
||
/** | ||
* @return {LH.Crdp.Security.SecurityStateChangedEvent} | ||
*/ | ||
getSecurityState() { | ||
if (!this._lastSecurityState) { | ||
// happens if 'listenForSecurityStateChanges' is not called, | ||
// or if some assumptions about the Security domain are wrong | ||
throw new Error('Expected a security state.'); | ||
} | ||
|
||
return this._lastSecurityState; | ||
} | ||
|
||
/** | ||
* @param {string} name The name of API whose permission you wish to query | ||
* @return {Promise<string>} The state of permissions, resolved in a promise. | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -22,7 +22,7 @@ const UIStrings = { | |
/** Error message explaining that Lighthouse could not load the requested URL and the steps that might be taken to fix the unreliability. */ | ||
pageLoadFailedWithDetails: 'Lighthouse was unable to reliably load the page you requested. Make sure you are testing the correct URL and that the server is properly responding to all requests. (Details: {errorDetails})', | ||
/** Error message explaining that the credentials included in the Lighthouse run were invalid, so the URL cannot be accessed. */ | ||
pageLoadFailedInsecure: 'The URL you have provided does not have valid security credentials. ({securityMessages})', | ||
pageLoadFailedInsecure: 'The URL you have provided does not have valid security credentials. {securityMessages}', | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Any reason for removing these? I feel like a list that might make no sense as a sentence like this belongs in parens. e.g. The URL...credentials. (Reason 1 Reason 2) There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. A realistic error message reads like this:
Which is a valid sentence. So...ignore this maybe. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. correct-o, the sentences should make sense as - is. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. at least, in english .. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think we need to add something about |
||
/** Error message explaining that Chrome has encountered an error during the Lighthouse run, and that Chrome should be restarted. */ | ||
internalChromeError: 'An internal Chrome error occurred. Please restart Chrome and try re-running Lighthouse.', | ||
/** Error message explaining that fetching the resources of the webpage has taken longer than the maximum time. */ | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no
async
here