Optimization Detective not working on non-HTTPS site

[swissspidy]

Bug Description

The detection script uses crypto.subtle.digest, but the crypto API is only available in secure (HTTPS) contexts.

I noticed by accident as I was accessing my local site without HTTPS.

Then I got a JS error:

Uncaught (in promise) TypeError: Cannot read properties of undefined (reading 'digest')

While most sites are using HTTPS nowadays anyway, I think this potential error should be caught to avoid errors.

It can then log to the console that detection is not possible or so.

Steps to reproduce

1. Install on HTTPS site
2. View site
3. See unhandled JS error

Screenshots

Additional Context

• PHP Version:
• OS: [e.g. iOS]
• Browser: [e.g. chrome, safari]
• Plugin Version: [e.g. 22]
• Device: [e.g. iPhone6]

[westonruter]

Interesting that this is not available on HTTP when crypto seems like it would be all the more important to have available if a secure connection isn't available.

I agree that detection should short-circuit with a warning (or maybe an error for visibility) when the API isn't available. If it is not available and the current page doesn't have HTTPS, then the message can advise that they use HTTPS. Note that not all HTTP sites are affected, namely localhost is an exception.

Alternatively, we could construct the sessionStorage keys using an alternate means than hashing. But maybe this isn't warranted.