[PWA-680] Webpagetest security score is too low #2548
Conversation
|
|
Performance Test Results The following fails have been reported by WebpageTest. These numbers indicates a possible performance issue with the PR which requires further manual testing to validate. https://pr-2548.pwa-venia.com : LH Performance Expected 0.85 Actual 0.51, LH Best Practices Expected 1 Actual 0.92, WPT Cache Expected 90 Actual 83.333333333333 |
packages/venia-ui/upward.yml
Outdated
| x-frame-options: | ||
| inline: SAMEORIGIN | ||
| x-xss-protection: | ||
| inline: '1; mode=block' |
There was a problem hiding this comment.
This may be unnecessary. Does WPT expect it?
There was a problem hiding this comment.
The ones included are the five specific headers WPT looks for, dings for each missing one. The browsers that don't support CSP and need this rule we probably don't support anyway, so that's a fair point. We have the option to not include them and defend whatever score WPT decides to give us.
There was a problem hiding this comment.
As long as WPT cares, we can include them.
- Write an interceptor that injects them into the app shell
There was a problem hiding this comment.
LGTM, this is a perfect target-plus-interceptor kind of implementation. The future is now.
Possible improvements for later:
- An UPWARD MergeResolver, so that other definitions could reference these headers, instead of this extension injecting them into Venia
- Env var definitions for controlling values like max-age, or additional domains for CSP to allow
- Unit tests, a README for the extension, etc
None are blockers for now. Approved.
packages/venia-concept/package.json
Outdated
| "@magento/peregrine": "~6.0.0", | ||
| "@magento/pwa-buildpack": "~5.1.1", | ||
| "@magento/upward-js": "~4.0.1", | ||
| "@magento/upward-security-headers": "*", |
There was a problem hiding this comment.
This probably should follow the pattern of other deps and be ~0.0.1.
There was a problem hiding this comment.
Fixed to this constraint in 27e45b1
| if (process.env.DEBUG_PROJECT_CREATION) { | ||
| prettyLogger.info('Debug: Removing generated tarballs'); | ||
| const pkgDir = require('pkg-dir'); | ||
| const monorepoDir = resolve(pkgDir.sync(__dirname), '../../'); | ||
| const packagesDirectory = resolve(pkgDir.sync(__dirname), '../'); | ||
| prettyLogger.info( | ||
| execa.shellSync('rm -v packages/*/*.tgz', { cwd: monorepoDir }) | ||
| .stdout | ||
| execa.shellSync('find . -name "*.tgz" -delete -print', { | ||
| cwd: packagesDirectory | ||
| }).stdout | ||
| ); | ||
| } |
There was a problem hiding this comment.
I don't know why I didn't think of this before, but...what if we just put tarballs in package roots in .gitignore? I just tested it and it worked fine. We could just remove this section in create-project.js entirely. Which would be nice, since now we're not looking for DEBUG_PROJECT_CREATION in two places.
Gitignore additions:
## May temporarily create tarballs during scaffolding debug
packages/*/*.tgz
packages/extensions/*/*.tgzThere was a problem hiding this comment.
Got rid of cleanup and added a gitignore rule in 9a0ce84
| const workspaceDir = resolve(__dirname, '../../'); | ||
| fs.readdirSync(workspaceDir).forEach(packageDir => { | ||
| const extensionDir = resolve(workspaceDir, 'extensions'); | ||
|
|
||
| const packageDirs = [ | ||
| ...fs.readdirSync(workspaceDir), | ||
| ...fs.readdirSync(extensionDir).map(path => `extensions/${path}`) | ||
| ]; | ||
|
|
There was a problem hiding this comment.
This works, but I think it would be a little more robust to just ask Yarn what the current packages are.
// Assume we are in the pwa-studio repo and get its root.
const monorepoDir = resolve(__dirname, '../../../');
// The Yarn "workspaces info" command outputs JSON as of v1.22.4.
// The -s flag suppresses all other non-JSON logging output.
const yarnWorkspaceInfoCmd = 'yarn -s workspaces info';
let workspaceInfo = require('child_process').execSync(
yarnWorkspaceInfoCmd,
{ cwd: monorepoDir }
);
let packageDirs;
try {
packageDirs = Object.values(JSON.parse(workspaceInfo)).map(
({ location }) => resolve(monorepoDir, location)
);
} catch (e) {
// In case Yarn breaks this in the future, throw a more informative
// error than your typical JSONError.
throw new Error(
`Could not parse output of '${yarnWorkspaceInfoCmd}:\n${workspaceInfo}`
);
}There was a problem hiding this comment.
Love it, made this change in 9a0ce84.
| const packagePath = resolve(workspaceDir, packageDir); | ||
| if (!fs.statSync(packagePath).isDirectory()) { | ||
| return; |
There was a problem hiding this comment.
If you use the Yarn method in my other comment, you don't need to do this resolve and stat check. packageDirs will contain only absolute-path directories.
There was a problem hiding this comment.
Much cleaner, implemented in 9a0ce84. This method additionally filters out workspaces without package.json files, so I was able to get rid of that check too.
tjwiebell
added
the
version: Major
|
@tjwiebell WPT security score looks great on all configs (img_opt - onboard/backend, upward-php/js). Issue I'm seeing with braintree payment module - Infinite loading indicator with below console error -
|
@dpatil-magento - Added an additional rule in 092cd5a that allows iframes to load from that braintree domain. Good catch! |
|
QA Approved. |
Description
Steps -
Expected - New Security should show better results.
Actual - Security score is F.
Related Issue
Acceptance
Verification Stakeholders
Specification
Verification Steps
Passing score on WPT
Since we're introducing a very opinionated CSP rule in this PR, it would also be good to verify this plays nicely with various setups (Both UPWARDs, onboard/backend image opt).
Screenshots / Screen Captures (if appropriate)
Checklist