forked from checkinholiday/lighthouse
-
Notifications
You must be signed in to change notification settings - Fork 0
/
is-on-https.js
123 lines (109 loc) · 5.53 KB
/
is-on-https.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
/**
* @license
* Copyright 2016 Google LLC
* SPDX-License-Identifier: Apache-2.0
*/
import {Audit} from './audit.js';
import UrlUtils from '../lib/url-utils.js';
import {NetworkRequest} from '../lib/network-request.js';
import {NetworkRecords} from '../computed/network-records.js';
import * as i18n from '../lib/i18n/i18n.js';
const UIStrings = {
/** Title of a Lighthouse audit that provides detail on the useage of HTTPS on a page. This descriptive title is shown to users when all requests on a page are fufilled using HTTPS. */
title: 'Uses HTTPS',
/** Title of a Lighthouse audit that provides detail on the useage of HTTPS on a page. This descriptive title is shown to users when some, or all, requests on the page use HTTP instead of HTTPS. */
failureTitle: 'Does not use HTTPS',
/** Description of a Lighthouse audit that tells the user *why* HTTPS use *for all resources* is important. This is displayed after a user expands the section to see more. No character length limits. The last sentence starting with 'Learn' becomes link text to additional documentation. */
description: 'All sites should be protected with HTTPS, even ones that don\'t handle ' +
'sensitive data. This includes avoiding [mixed content](https://developers.google.com/web/fundamentals/security/prevent-mixed-content/what-is-mixed-content), ' +
'where some resources are loaded over HTTP despite the initial request being served ' +
'over HTTPS. HTTPS prevents intruders from tampering with or passively listening ' +
'in on the communications between your app and your users, and is a prerequisite for ' +
'HTTP/2 and many new web platform APIs. ' +
'[Learn more about HTTPS](https://developer.chrome.com/docs/lighthouse/pwa/is-on-https/).',
/** [ICU Syntax] Label identifying the number of insecure network requests found by an audit of a web page. */
displayValue: `{itemCount, plural,
=1 {1 insecure request found}
other {# insecure requests found}
}`,
/** Label for a column in a data table; entries in the column will be the URLs of insecure (non-HTTPS) network requests. */
columnInsecureURL: 'Insecure URL',
/** Label for a column in a data table; entries in the column will be how the browser handled insecure (non-HTTPS) network requests. */
columnResolution: 'Request Resolution',
/** Value for the resolution column in a data table; denotes that the insecure URL was allowed by the browser. */
allowed: 'Allowed',
/** Value for the resolution column in a data table; denotes that the insecure URL was blocked by the browser. */
blocked: 'Blocked',
/** Value for the resolution column in a data table; denotes that the insecure URL may be blocked by the browser in the future. */
warning: 'Allowed with warning',
/** Value for the resolution column in a data table; denotes that the insecure URL was upgraded to a secure request by the browser. */
upgraded: 'Automatically upgraded to HTTPS',
};
const resolutionToString = {
MixedContentAutomaticallyUpgraded: UIStrings.upgraded,
MixedContentBlocked: UIStrings.blocked,
MixedContentWarning: UIStrings.warning,
};
const str_ = i18n.createIcuMessageFn(import.meta.url, UIStrings);
class HTTPS extends Audit {
/**
* @return {LH.Audit.Meta}
*/
static get meta() {
return {
id: 'is-on-https',
title: str_(UIStrings.title),
failureTitle: str_(UIStrings.failureTitle),
description: str_(UIStrings.description),
requiredArtifacts: ['devtoolsLogs', 'InspectorIssues'],
};
}
/**
* @param {LH.Artifacts} artifacts
* @param {LH.Audit.Context} context
* @return {Promise<LH.Audit.Product>}
*/
static async audit(artifacts, context) {
const devtoolsLogs = artifacts.devtoolsLogs[Audit.DEFAULT_PASS];
const networkRecords = await NetworkRecords.request(devtoolsLogs, context);
const insecureURLs = networkRecords
.filter(record => !NetworkRequest.isSecureRequest(record))
.map(record => UrlUtils.elideDataURI(record.url));
/** @type {Array<{url: string, resolution?: LH.IcuMessage|string}>} */
const items = Array.from(new Set(insecureURLs)).map(url => ({url, resolution: undefined}));
/** @type {LH.Audit.Details.Table['headings']} */
const headings = [
{key: 'url', valueType: 'url', label: str_(UIStrings.columnInsecureURL)},
{key: 'resolution', valueType: 'text', label: str_(UIStrings.columnResolution)},
];
for (const details of artifacts.InspectorIssues.mixedContentIssue) {
let item = items.find(item => item.url === details.insecureURL);
if (!item) {
item = {url: details.insecureURL};
items.push(item);
}
item.resolution = resolutionToString[details.resolutionStatus] ?
str_(resolutionToString[details.resolutionStatus]) :
details.resolutionStatus;
}
// If a resolution wasn't assigned from an InspectorIssue, then the item
// is not blocked by the browser but we've determined it is insecure anyhow.
// For example, if the URL is localhost, all `http` requests are valid
// (localhost is a secure context), but we still identify `http` requests
// as an "Allowed" insecure URL.
for (const item of items) {
if (!item.resolution) item.resolution = str_(UIStrings.allowed);
}
let displayValue;
if (items.length > 0) {
displayValue = str_(UIStrings.displayValue, {itemCount: items.length});
}
return {
score: Number(items.length === 0),
displayValue,
details: Audit.makeTableDetails(headings, items),
};
}
}
export default HTTPS;
export {UIStrings};