Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Idea: provide the tool with an authorization token or cookie to test deep pages of a website #49

Open
lirantal opened this issue Dec 4, 2019 · 6 comments
Labels

Comments

@lirantal
Copy link
Owner

@lirantal lirantal commented Dec 4, 2019

Is your feature request related to a problem? Please describe.
Currently, you can only test pages which you have access to as an anonymous user. What if you wanted to test a deeply nested page as a logged in user?

Describe the solution you'd like
Being able to provide a cookie or an authorization token that will be passed to Lighthouse (needs to check if LH supports this) will allow users to test specific pages that are beyond the firewall

@lirantal lirantal added the enhancement label Dec 4, 2019
@Ryuno-Ki

This comment has been minimized.

Copy link

@Ryuno-Ki Ryuno-Ki commented Dec 4, 2019

Hm, I wonder whether this would even be allowed?
I mean, the enterprises I worked in so far aren't happy to see information leaking out.
Especially to Google (German privacy obsession, I guess).

@lirantal

This comment has been minimized.

Copy link
Owner Author

@lirantal lirantal commented Dec 4, 2019

How is google related and what information will leak out?

@Ryuno-Ki

This comment has been minimized.

Copy link

@Ryuno-Ki Ryuno-Ki commented Dec 4, 2019

I mean, with an Auth cookie, you poke a hole in a firewall to let someone else in, doesn't you?
Since JS is „active”, this would allow to run arbitrary scripts.

I mean, yeah, you could say you trust Google to not be evil, but…
It leaves a bad taste for me.

Information like your infrastructure. I imagine even use cases for staging environment here.

Could also be checks for logged in users. But there, you normally have some kind of personalisation. Can you even cover everything?

What if you could run the check „offline“ or without connecting to the Internet?
Like, could I just download a list of known vulnerable libs and feed the tool that one?

I'm thinking out loud here :-)

@lirantal

This comment has been minimized.

Copy link
Owner Author

@lirantal lirantal commented Dec 4, 2019

Happy we're having this conversation so definitely thanks for chiming in.

I mean, with an Auth cookie, you poke a hole in a firewall to let someone else in, doesn't you?
Since JS is „active”, this would allow to run arbitrary scripts.

Maybe I'm missing something but I'm not sure this statement's relevancy to the project here.
Teams who leverage the tool in a CI/CD may not be outside of the corporate firewall, and even if they are, how is something like this tool different than running any other E2E test on a system? it's not :)

I mean, yeah, you could say you trust Google to not be evil, but…
It leaves a bad taste for me.

I think there's some misunderstanding in perhaps how this tool works. It doesn't send anything to Google, nor to Snyk, not any other way that I know of. It doesn't collect any vulnerabilities from remotely or anything like that. See here https://github.com/GoogleChrome/lighthouse#are-results-sent-to-a-remote-server

Are results sent to a remote server?
Nope. Lighthouse runs locally, auditing a page using a local version of the Chrome browser installed the machine. Report results are never processed or beaconed to a remote server.

@Ryuno-Ki

This comment has been minimized.

Copy link

@Ryuno-Ki Ryuno-Ki commented Dec 4, 2019

Okay. Thanks for explaining. I had a wrong mental model of how this tool works.

@lirantal

This comment has been minimized.

Copy link
Owner Author

@lirantal lirantal commented Dec 4, 2019

No worries at all! Thank you for discussing this :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.