core: INSECURE_DOCUMENT_REQUEST errors still return lhr

[connorjclark]

Fixes #6595.

[connorjclark]

Bad bot. why would you close a PR

[patrickhulce]

Could we get a bit of explanation for what was happening before and why we want this instead? :)

[patrickhulce]

we're injecting a lot of new if/try/catch blocks into some already beefy methods, do you think there's a way we might be able to push some of these complications down a level so the busier method is still easy to parse?

[connorjclark]

yes, if we can refactor Runner.run to easily return a (errored) LHR in its catch. Then changes to gather-runner wouldn't be necessary.

[brendankenny]

We're dropping the LHR requirement for now, so we can also drop these changes (there won't be a timing object to add this to if an error was thrown)

[connorjclark]

When there is a security issue, Page.navigate timesout, and the entire LH run is aborted fatally without returning a LHR. If ignored, more commands hang forever (Network.emulateNetworkConditions) - so the gather runner aborts as soon as it detects a security issue.

[connorjclark]

It would be much nicer if we could just throw the security error when discovered (like the PR has it in driver.goToURL), and don't attempt to handle it at all in the gather runner, letting it go up to the catch in Runner.run, and just returning a bare LHR with the runtimeError set. But that seems like a bigger change. All the complication in this code is just to set up the gatherer artifacts in a way that still produces a LHR...

[brendankenny]

But that seems like a bigger change. All the complication in this code is just to set up the gatherer artifacts in a way that still produces a LHR...

We should definitely do it the right way, even if it's more work, otherwise we're just going to keep paying for it until we do. It's already enough work to mentally reconstruct control flow through GatherRunner and page load in Driver, we don't want to add more branches if we don't have to :)

However, I think this gets back to #6336, which I failed to substatially bring up in the bug (#6595 (comment) :).

It's still not clear to me that we want an LHR with just the single top-level error for the CLI/Extension/DevTools clients (they have varying extents of their own UI for showing fatal errors like this). I feel like we need to settle the question of how to treat runtime errors in the different clients before we start any error-handling refactors.

[connorjclark]

OK, I removed all that complexity. Test w/ node lighthouse-cli https://expired.badssl.com/ --view to see that the run bails immediately on a security issue, instead of hanging.

The original issue requested returning an LHR, but I believe we don't care about that anymore, since LR now correctly forms a LHR when an error is thrown. @paulirish is this correct?

[brendankenny]

The original issue requested returning an LHR, but I believe we don't care about that anymore, since LR now correctly forms a LHR when an error is thrown.

a million 👍s from me :)

[exterkamp]

Any reason for removing these? I feel like a list that might make no sense as a sentence like this belongs in parens. e.g. The URL...credentials. (Reason 1 Reason 2)

[exterkamp]

A realistic error message reads like this:

The URL you have provided does not have valid security credentials. This site is missing a valid, trusted certificate (net::ERR_CERT_DATE_INVALID).

Which is a valid sentence. So...ignore this maybe.

[connorjclark]

correct-o, the sentences should make sense as - is.

[connorjclark]

at least, in english ..

[brendankenny]

I think we need to add something about securityMessages to the description for the translators. "securityMessages will be replaced with one or more strings from the browser explaining what was insecure about the page load." or whatever

[exterkamp]

What is this requestedUrl business about? Does it relate to INSECURE DOC requests?

[connorjclark]

if the doc fails to load, the "finalUrl" is never set. so fall back to requestUrl

[brendankenny]

What is this requestedUrl business about?

I believe left over from the old version of the PR, should be able to remove from here now (and from github-api.js and report-ui-features.js)

[connorjclark]

Oof you're right, forgot to check if that was still necessary.

[brendankenny]

big move request :)

[brendankenny]

can we just combine the two of these? Seems unnecessary to split (waitForSecurityIssuesCheck doesn't really do anything in isolation and they aren't called separately)

[paulirish]

we talked earlier about the order of the listener vs calling enable().

......maybe the order right now is OK. if you listened before calling security.enable then perhaps you would get a statechanged event for the about:blank state.

I'm not totally sure about this.

but typically we do like setting up the event listener before enable is called, because enable usually flushes all events before it results.

[brendankenny]

To do this right, I think @paulirish is right and this should move into waitForFullyLoaded. We shouldn't be mucking around looking at network traffic before our traffic monitor is allowed to start monitoring :)

Take a look at this._waitForLoadEvent or this._waitForNetworkIdle for the promise/cancel cancellable promise model used, and _waitForFullyLoaded itself for where to put it in parallel with the timeout. It should be a pretty simple translation from waitForSecurityIssuesCheck already in this PR.

(and forgive the state of the code in those methods...they're super old and have pretty much only grown through accretion, not really refactored, so they're a bit creaky and brittle :)

[connorjclark]

what about the _waitForFrameNavigated case?

[brendankenny]

what about the _waitForFrameNavigated case?

that's only used for loading about:blank, so we're ok there. We should probably make that clearer, though really if you're saying waitForNavigated: true, you're basically forgoing all our checks already.

[brendankenny]

We're dropping the LHR requirement for now, so we can also drop these changes (there won't be a timing object to add this to if an error was thrown)

[connorjclark]

I can't really explain it, but this only works when awaiting the Security.enable ...

[patrickhulce]

do we have some tests/a test that can capture the cases that fail without this await but succeed with?

[patrickhulce]

this also seems a bit like it has the potential to race :/

[connorjclark]

The test would basically be 1) go to https://expired.badssl.com/ (or load page with bad cert) 2) assert LH does not hang / exercise the full page load time out (so, within 5s??)

would that be a good candidate for a smoke test?

[connorjclark]

OK, it looks like it starts with the "neutral" security state (about: has no meaningful value for security) and then either goes to "secure" or "insecure", depending on the target page. So I can tweak the logic to listen for state changes until "not neutral" comes up

[patrickhulce]

would that be a good candidate for a smoke test?

sounds great to me! who maintains badssl? do we expect it to be roughly up most of the time? oh we do, awesome yeah let's do it :D https://github.com/chromium/badssl.com

[brendankenny]

Just https://localhost:10200 could also work

[connorjclark]

If in offline mode, the security state is always "neutral" ...

This is me running the pwa smoke test. First two security states are the online pass (neutral -> secure), last three(?) are the offline pass (neutral -> neutral... but with explanations)

But in each case, the first state we care about is the first one with non-empty explanations. So maybe use that?

[connorjclark]

Which makes sense... if there's no explanation for a security state, why value it?

[connorjclark]

For some reason, some offline urls gives three empty, neutral states in the offline pass. Perhaps better to just disable this check for the offline pass.

[patrickhulce]

do we have some tests/a test that can capture the cases that fail without this await but succeed with?

[patrickhulce]

this also seems a bit like it has the potential to race :/

[patrickhulce]

do we need this in a promise chain like @exterkamp's cleanup?

[connorjclark]

Do you mean adding an await here?

[patrickhulce]

or an empty .catch if we don't care?

[patrickhulce]

same here re: floating promise

[patrickhulce]

this makes me a tad more nervous I feel like we need some beefier commenting on why this is OK, intuitively I wouldn't expect a securityStateChanged to be guaranteed to fire early on every single page load, i.e. why would it fire if I go from http to http or https to https or about: to about:, etc

putting it directly in the chain of waiting for load just makes it a bit high stakes

[connorjclark]

I think it'd only work if the Security domain is disabled before _waitForFullyLoaded runs. If a gatherer were to enable Security and forget to disable it, this may break?

Also, isn't this method always called from "about:" -> "target url"?

[patrickhulce]

Also, isn't this method always called from "about:" -> "target url"?

That's kinda what I'm talking about, just explaining why this is always going to be OK :)

[connorjclark]

Ah, OK I misunderstood. How's the comment I added?

[patrickhulce]

nice! maybe we can add a sentence about how it resolves too not just reject?

I'm thinking something like

     // Listener that resolves or rejects on the first security state change.
     // If the first change is secure, we resolve.
     // If the first change is insecure, we reject.
     // We can expect the security state to always change because this function
     // is only used to move about:blank (neutral) -> the target url (something not neutral).

Now that I'm thinking about it maybe it belongs in the _waitForSecurityCheck jsdoc :)

[paulirish]

typo fyi

[paulirish]

remains to be seen if we need this here, but if we do, i'd much rather this array live in a common place than be duplicated here and in the is-on-https audit.
url-shim.js has worked well in the past. move there and import to here and the audit?

---

update: yup, this stuff is unnecessary now, but FYI on the feedback.

[paulirish]

Good call, Brendan.

Example URL that redirects to insecure (but isn't caught currently): http://i.paul.irish
(as soon as DNS propagates, http://expiredredirect.paul.irish will do the same)

[patrickhulce]

still INSECRE ;)

[patrickhulce]

edit this comment to note that securityCheckPromise will only ever reject?

[patrickhulce]

OR crazy idea, the promise resolves with a cleanupFn that throws an error :D then the three cases are a little more parallel

[connorjclark]

to your second comment, so securityCheckPromise would be changed to resolve instead of reject?

[patrickhulce]

to your second comment, so securityCheckPromise would be changed to resolve instead of reject?

right it would go hand-in-hand with #6608 (comment) to enable to refactor

[patrickhulce]

there's a lot to unpack in this function that needs longstanding cleanup I'll take a whack at as a followup to #6944, for now WDYT about sticking this in a _waitForSecurityError or something following the {promise, cancel} paradigm we have currently?

[connorjclark]

The cancelAll and clearing the maxTimeoutHandle complicates that a lot. It's not clear to me how to extract into a function without using multiple parameter callbacks (or is that the cleanup you had in mind?)

[patrickhulce]

yeah this goes hand-in-hand with the resolve idea. I'm not sure we could easily pull it out with it still rejecting immediately

[connorjclark]

OK, I think I see how that'd work. I'll give it a shot

[connorjclark]

I think it'd be easier to reason about all this canceling if each cancelable promise stores state about if it's been canceled yet and avoids doing it more than once. Then we could judiciously use cancelAll in one place, after the Promise race.

[patrickhulce]

Yeah this is ripe for cleanup, but this new parallel style will make it so much easier now, thank you!!

[patrickhulce]

FWIW, I don't think anything would be harmed today if you threw this into cancelAll right?

[connorjclark]

would also have to remove the self-cancel that _waitForSecurityCheck does, otherwise it would cancel itself twice.

I'll try the cancel state thing first

[patrickhulce]

hang on before you do that I was saying I don't think it would matter if we called cancel twice, we're just extra disabling the security domain and removing a listener that might've been removed already.

[connorjclark]

OK, LMK if that is better or worse

[patrickhulce]

looks pretty good to me!

[patrickhulce]

this feels like a bug, we want to just add if (cancelled) return right?

[connorjclark]

oops, didn't meant to delete that.

can skip the guard here since reject/clearTimeout should have no effect after the first call.

[connorjclark]

of course, leaving out the guard looks like a mistake, so perhaps I should just add it anyways?

[brendankenny]

can skip the guard here since reject/clearTimeout should have no effect after the first call.

of course, leaving out the guard looks like a mistake, so perhaps I should just add it anyways?

I mean, it's also unnecessary everywhere else it's be added, isn't it? All removing listeners and clearing timeouts, which have no problem being run multiple times.

I'm OK with having them since that's how we would write a cancellable promise utility instead of doing each of these separately (in which case all of the methods should have it), but I'm also OK with dropping them since they aren't necessary (except for the Security.disable command in _waitForSecurityCheck)

[patrickhulce]

super nit: but I might have the promise resolve with the explanations and this fn create the error.

that feels a little more mainstream to resolve with data and then the type of the error is clear from within this fn

[connorjclark]

done

[patrickhulce]

❤️

[patrickhulce]

LGTM!

[brendankenny]

looking good. A few style things but nothing too big

[brendankenny]

boooo to one L :P

[connorjclark]

I prefer Mr. Webster's simplified spellings, but I could care more.

[brendankenny]

can skip the guard here since reject/clearTimeout should have no effect after the first call.

of course, leaving out the guard looks like a mistake, so perhaps I should just add it anyways?

I mean, it's also unnecessary everywhere else it's be added, isn't it? All removing listeners and clearing timeouts, which have no problem being run multiple times.

I'm OK with having them since that's how we would write a cancellable promise utility instead of doing each of these separately (in which case all of the methods should have it), but I'm also OK with dropping them since they aren't necessary (except for the Security.disable command in _waitForSecurityCheck)

[brendankenny]

interesting that we reject here but not in the others

[brendankenny]

maybe add a TODO here for whatever @patrickhulce is planning with the refactor? cancel() should really be a promise itself to handle things like this

[brendankenny]

rename since it resolves only in the case of insecurity (and the check isn't singular, it just goes until it isn't needed)? _waitForInsecureState? _monitorForInsecureState? Something else?

[brendankenny]

FWIW for future refactoring, @paulirish mentioned he doesn't think this check is necessary anymore (errors are successfully being detected elsewhere, I guess)

[brendankenny]

ha, I think I disagree with @patrickhulce. The internals of SecurityStateExplanation seem like a distraction from the actual purpose of _waitForFullyLoaded, since either way we're using waitForSecurityCheck to alert us of an error, the question is if we should do more work in there or out here.

If that's not convincing, maybe we could split the difference? Filter and map within _waitForSecurityCheck and then it only needs to be

const securityCheckPromise = waitForSecurityCheck.promise.then(securityMessages => {
  return function() {
    throw new new LHError(LHError.errors.INSECURE_DOCUMENT_REQUEST, {securityMessages});
  }
});

(using the cleanupFn to reject the promise is a little weird but w/e :P)

[brendankenny]

having this cleanupFn setup now is weird if they all can (and should) be cancelled regardless, but that can wait for the refactor too

[brendankenny]

I think we need to add something about securityMessages to the description for the translators. "securityMessages will be replaced with one or more strings from the browser explaining what was insecure about the page load." or whatever

[paulirish]

functionally, this works great.

You'll want to add this at the top of popup.js:

  'INSECURE_DOCUMENT_REQUEST': 'The URL you have provided does not have valid' +
      ' security credentials.',

lgtm on everything else.

[brendankenny]

this is a weird use of async/await (and depending on driver.once calls you'll end up with an unhandled promise rejection for the throw below).

Can we just

// wait a tick b/c real events never fire immediately
setTimeout(_ => cb(events[eventName]), 0);
return;

like normal people? :P

[brendankenny]

I meant drop the async/await in favor of the setTimeout :)

[brendankenny]

this poor driverStub was never meant to be used repeatedly :)

Can you also break the cycle and make a new Driver(connection) within each of these tests? We can deal with having a fresh connection later

[patrickhulce]

FWIW I'm also rather fond of keeping all the mocking close to the test like I did over in manifest PR with jest.spyOn. Given the way the past few reviews have gone I'm guessing @brendankenny feels the opposite though so take it with a grain of salt 😂

[brendankenny]

Given the way the past few reviews have gone I'm guessing @brendankenny feels the opposite

Ha, I'm not entirely sure how to interpret that. I also like maximizing locality so you can see what's actually been done to the mock you have to use. But I am generally against mocks if at all possible, if that's what that means :)

[patrickhulce]

I also like maximizing locality

phew! :)

Ha, I'm not entirely sure how to interpret that.

only a joke no worries, just I feel like I've lead @hoten chasing too many wild geese lately 😆

[brendankenny]

only a joke no worries

lol I was trying to read too deeply :) :)

[brendankenny]

@hoten you'll need to rerun yarn diff:sample-json to pick up the new description

[brendankenny]

just the one test change and rerun yarn diff:sample-json and I think we may be good to go!

[brendankenny]

I meant drop the async/await in favor of the setTimeout :)

[brendankenny]

ooh nice

too slow

[brendankenny]

[connorjclark]