google / sxg-validator Goto Github PK

If a SXG is not returned from the origin, try to diagnose why sxg-rs might have chosen not to sign. (Not everybody is using sxg-rs, but I think most are.)

Go through sxg-rs create_signed_exchange() and capture the reasons signing might not happen (e.g. Cache-Control: no-store). The extension should look for those reasons in the origin response and display a warning if present.

When on a google.TLD search results page, if a user clicks the extension icon, it could identify which results point to webpkgcache (e.g. with an emoji or text badge).

1. If the SXG warning message includes "will be ingested asynchronously from ...", parse the cert-url from there.
2. Otherwise, just guess a path of /cdn-fpw/sxg/cert.pem.msg as that is the most common.

This will help display cert errors, if they are the cause of downstream SXG errors.

Here's an example. (But it no longer reproduces because it's in the cache now.)

e.g. on https://twifkak.com/blog/properties.html?a=b the cache URL shown & fetched is https://twifkak-com.webpkgcache.com/doc/-/s/twifkak.com/blog/properties.html

I enabled SXG on the site: https://www.iltelegrafolivorno.it through Cloudflare.
In our site images are composed with this url:
i.e:
https://www.iltelegrafolivorno.it/immagini/?fmt=webp&url=http%3A%2F%2Fp1014p.quotidiano.net%3A80%2Fpolopoly_fs%2F1.7801291.1655663245%21%2FhttpImage%2Fimage.jpg_gen%2Fderivatives%2Fwidescreen%2Fimage.jpg&w=512

using the sxg-validator it return me an error in the cache:

returning:
199 - "debug: content has ingestion error: Error fetching resource: not found"

but if I check the cache directly it works:

ie:
https://www-iltelegrafolivorno-it.webpkgcache.com/doc/-/s/www.iltelegrafolivorno.it/immagini/?fmt=webp&url=http%3A%2F%2Fp1014p.quotidiano.net%3A80%2Fpolopoly_fs%2F1.7801291.1655663245%21%2FhttpImage%2Fimage.jpg_gen%2Fderivatives%2Fwidescreen%2Fimage.jpg&w=512

sh-3.2$ curl -siH 'Accept: application/signed-exchange;v=b3' https://www-iltelegrafolivorno-it.webpkgcache.com/doc/-/s/www.iltelegrafolivorno.it/immagini/?fmt=webp\&url=http%3A%2F%2Fp1014p.quotidiano.net%3A80%2Fpolopoly_fs%2F1.7801291.1655663245%21%2FhttpImage%2Fimage.jpg_gen%2Fderivatives%2Fwidescreen%2Fimage.jpg\&w=512
HTTP/2 200
nel: {"report_to":"nel","max_age":604800,"success_fraction":0.05}
report-to: {"group":"nel","max_age":604800,"endpoints":[{"url":"https://beacons.gcp.gvt2.com/nel/upload-nel"},{"url":"https://beacons.gvt2.com/nel/upload-nel"}]}
report-to: {"group":"webpkgcache-team","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/webpkgcache-team"}]}
accept-ranges: bytes
vary: Accept-Encoding
content-type: application/signed-exchange;v=b3
content-security-policy: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/webpkgcache-team
cross-origin-resource-policy: cross-origin
cross-origin-opener-policy-report-only: same-origin; report-to="webpkgcache-team"
content-length: 48603
date: Mon, 20 Jun 2022 09:38:19 GMT
expires: Mon, 20 Jun 2022 09:38:19 GMT
cache-control: private, max-age=601199
last-modified: Mon, 20 Jun 2022 09:19:24 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-content-type-options: nosniff
server: sffe
x-xss-protection: 0
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"

Something like:

"If there's an X in the Origin section, you'll need to figure out why; look for things like Cache-Control: no-store or Set-Cookie headers.

If there's an X in the Cache or Cert section, there should be a Warning Message saying why.

See SXG Cache Requirements for details."

Parse the SXG's link header and check the origin and especially cache status of each of the preloaded subresources. I'm not sure the best way to display it.

Either linkify the webpkgcache URL, or append a link after it, like "(view)". This helps people verify that the cache version is equivalent to the origin version.