The newly released Lighthouse 10, the technology behind PageSpeed Insights and Chrome DevTools, introduces two new site audits. These audits should be useful as part of the audit as they relate to site security and user experience factors.
Technically, an audit is an expansion of a previous revision, but it is essentially a new audit.
Lighthouse has several types of audits including, accessibility audits, best practices audits, performance audits, incremental web application audits, and SEO audits.
Two new audits have been made from two different audits within the Lighthouse. One is part of Best practices audit and the other who Performance audits category.
New back/forward cache audit
Something that is not usually thought of is the back/forward cache, also known as bfcache.
bfcache is an optimization-enabled cache that allows web pages to load immediately when the user navigates backwards or forwards within the website.
Websites without bfcache have been enabled to force site visitors to download web pages a second time when they navigate back and forth within the website.
But with bfcache enabled, visitors to the same site enjoy instant loading.
Google’s developer page about bfcache states it as follows:
The back/forward cache (bfcache) stores a snapshot of the page in memory when the page is restored from the navigation history.
This greatly speeds up navigations back to the page, however some browser APIs (eg unload listeners) can cause bfcache to fail and the page will load normally. “
There are best practices to ensure that pages are eligible to be stored in bfcache.
The first improvement is to never use the unload event.
According to Web.dev:
The unload event is problematic for browsers because it predates bfcache and many pages on the Internet operate under the (reasonable) assumption that the page will no longer exist after the unload event has been fired.
This is a challenge because many of these pages are also built on the assumption that the unload event will fire anytime the user navigates away, which is no longer true (and hasn’t been true for a long time). “
the Mozilla developer web page For the dump event, it is also advised not to:
Warning: Developers should avoid using this event.
Lighthouse 10 now has auditing for bfcache.
The way it works is that it navigates away from and then back to the webpage being tested.
Any issues with being able to use bfcache are taken care of by bfcache auditing.
There are three types of failures:
- effective
Problems that can be fixed. - Hanging support
Features that Chrome does not yet support prevent the browser from caching the webpage. - it is not practical
These are issues that lie outside the page itself and cannot be controlled or fixed.
Read for more info: Chrome developer page about bfcache:
Ensure that the page can be restored from the back/forward cache
Expand field review for pasting in passwords
Allowing users to paste passwords into the password form field is a security improvement.
Disabling the ability to paste passwords prevents site visitors from using password managers that use strong passwords.
Previous versions of Lighthouse that tested best practices for pasting into form fields were limited to password field testing only.
Lighthouse 10 improves on this checking by extending to test if pasting into any (other than read-only) input field works.
Google’s announcement of this new audit explains why it’s important:
“For most sites, preventing pasting is a completely negative user experience and prevents legitimate security and accessibility workflows.”
A “read-only” input field is a form field that contains a pre-filled default entry.
All other input fields should allow pasting because it is beneficial for accessibility, user experience, and security improvement.
Google developer Troubleshooting page for this type of audit He offers this advice to solve this problem:
How to enable pasting in password fields
# Find the code that prevents pasting
To quickly find and examine the code that prevents pasting:
-
Expand the Event listener breakpoints pane.
-
Expand the Clipboard menu.
-
Select the Paste check box.
-
Paste some text into the password field on your page.
-
DevTools should pause on the first line of code in the relevant paste event listener”.
Google encourages identifying a javascript listener that prevents pasting and then removing it.
Two new lighthouse audits
Many SEO audits do not test for security issues, possibly because security has nothing to do with ranking, a belief that is arguably incorrect.
I have maintained for many years that security is an SEO issue because poor security leads to a negative impact on rankings.
If the goal of the audit is to identify the reasons why rankings might be hacked, then in my opinion the security check should be part of the SEO audit.
Lighthouse 10 is active in the PageSpeed Insights tool and will appear in Chrome version 112, currently scheduled for a March 29, 2023 release.
Those who want to try Lighthouse 10’s new Chrome DevTools interface can do so using the developer version of Google’s browser, Chrome Canarywhich contains all the latest features before the regular version of Chrome.
Read about the new audits in the Lighthouse 10 announcement:
What’s new in Lighthouse 10 – New audits
Featured image by Shutterstock / Asier Romero
