Skip to content

core(network-request): consider HSTS redirects secure #12681

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
patrickhulce merged 1 commit into from
Jun 22, 2021
Merged

core(network-request): consider HSTS redirects secure #12681

patrickhulce merged 1 commit into from
Jun 22, 2021

Conversation

@patrickhulce
Copy link
Collaborator

@patrickhulce patrickhulce commented Jun 22, 2021

Summary
Often the HTTPS audit fails because the original URL audited was http, so even if it redirects then you still have the original redirect request over HTTP. We can kinda explain why this is desirable (though I'm not really sold it's worth the annoyance), but it's definitely not the case in HSTS internal redirects that happen in the browser, which is the whole point of HSTS. This applies to entire TLDs in some cases (.app/.dev), so we should handle those cases appropriately.

Related Issues/PRs
fixes #12674

@patrickhulce patrickhulce requested a review from a team as a code owner June 22, 2021 17:29
@patrickhulce patrickhulce requested review from adamraine and removed request for a team June 22, 2021 17:29
@google-cla google-cla bot added the cla: yes label Jun 22, 2021
brendankenny
brendankenny reviewed Jun 22, 2021
View reviewed changes
lighthouse-core/lib/network-request.js
if (!destination) return false;

const reasonHeader = record.responseHeaders
.find(header => header.name === 'Non-Authoritative-Reason');
Copy link
Contributor

@brendankenny brendankenny Jun 22, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ha, I wonder how this header ended up with this name

Copy link
Collaborator

@connorjclark connorjclark Jun 22, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.2.4

non-authorative because the info (the redirect) comes from a third party (hsts list in the browser), not the intended origin

@patrickhulce patrickhulce merged commit 6de5b43 into master Jun 22, 2021
@patrickhulce patrickhulce deleted the hsts_secure branch June 22, 2021 18:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@connorjclark connorjclark connorjclark left review comments

+2 more reviewers

@brendankenny brendankenny brendankenny left review comments

@adamraine adamraine adamraine approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@adamraine adamraine

Labels

cla: yes waiting4reviewer

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Lighthouse doesn't automatically treat .app or .dev TLDs as HTTPS

5 participants

@patrickhulce @brendankenny @connorjclark @adamraine @devtools-bot