HTTP redirects to HTTPS audit doesn't work on android

[patrickhulce]

When you run Lighthouse on WPT or on any Android device, the security domain does not work properly and thus fails the HTTP redirect check, see this report as example.

We should do what we did for is on HTTPS and just check for the scheme.

[evenstensberg]

Can work on this. Need more context around the meaning of WPT, as my best search results were 🎴 World Poker Tournament 🎴 .

We should do what we did for is on HTTPS and just check for the scheme.

Mind clarifying with relevant links and some more details?

[brendankenny]

World Poker Tournament

WPT is WebPagetest :D

Mind clarifying with relevant links and some more details?

for background, see discussion and changes to is-on-https.js in #1918

[patrickhulce]

Sure :) WPT stands for https://www.webpagetest.org/ which is open source and does performance testing as a service. We have a Lighthouse integration there that enables you to get a LH report along with your regular report when you run it on one of their mobile devices.

Unfortunately the security domain we use to tell if you are on a https doesn't work on android. We encountered this with the is-on-https audit too which we switched to just parse the URLs and check if the scheme is https instead of using the security domain (see #1918).

I'm thinking we do something similar for the http-redirect gatherer and don't use the security state but just check that the final URL has https scheme

[evenstensberg]

Gotcha! Let me bring up a PR for that possibly due thursday. If you know where to fix at android I can do it there instead, either way is fine with me. ( If the android implementation is OSS )

[patrickhulce]

If you know where to fix at android

I wish it were that simple :D either way we've going to have to work around this here in LH quickly since a fix for Android Chrome won't necessarily get pushed out soon even if we had one today. If you're curious though you can take a look at the Chromium bug and poke around the Chromium code

[evenstensberg]

This one:

lighthouse/lighthouse-core/audits/is-on-https.js

Line 57 in f03f287

const networkRecords = artifacts.networkRecords[Audit.DEFAULT_PASS];

Fetches all urls from network, or?

[patrickhulce]

Right, that audit checks that all requests in the default pass used https. To fix this one though, you probably won't even need to mess with network records you could just check the final url in the afterPass method of http-redirect gatherer

[evenstensberg]

Yep, doing it right now. Watching how you're building up audits to better know the source code while at it

[evenstensberg]

Left it at #2396 , please, do an extensive review, this seems too simple and could break stuff

[paulirish]

The simple fix: in afterPass we evaluateAsync new URL(window.location).protocol === 'https:' instead of using Security domain.

I'm going to take this.

[kevmoo]

@paulirish – would love a fix here 😄