Now coming to version 1 (v1), Microsoft has detailed how sonarwhal has developed since it was announced a year ago. The company says it created the tool after regular feedback from customers and partners. Innovations in web development are happening rapidly, so developers need tools to make sites faster and more secure. “Every day, we see sites that have a great architecture, built with the latest libraries and tools, but that don’t use the right cache policy for their static assets, or that don’t compress everything they should, or with common security flaws—and that’s just scratching the surface. The web is complex and it can be easy to miss something at any point during the development process.” Sonarwhal was created from this need to increase potency of web development. Microsoft says insuring seamless interoperability across browsers is also an important aspect of modern web creations. We have seen Microsoft increasingly move towards open source solutions in recent years. Sonarwhal extends that growing willingness to make software communally available. The company says feedback through the preview process has helped shape the development of sonarwhal.
Rules
In a blog post today, Microsoft says research has been vital to ensure the solution is as robust as possible. Among the details the company mentions are:
“The http-compression rule will perform several requests for each resource with different headers and check the content to validate the server is actually respecting them. E.g.: When resources are requested uncompressed, does the server actually respect what was requested and serve them uncompressed? Is the server doing User-Agent sniffing instead of relying on the Accept-Encoding header of the request? Is the server compressing resources using Zopfli when requests are made advertising support for gzip compression? The web manifest rules are also interesting. Does the web manifest point to an image? Does that image exist? Does the image meet the recommended resolution and file size? Does it have the right format to be used by any browser? Is the name of the web application short enough to be displayed on all platforms? The web is full of lies (starting with the user-agent string). Just because a file ends with .png and has content-type: image/png doesn’t mean it’s a PNG. It could very well be a JPEG file, or something completely different. And the same goes for every downloaded resource. The content-type rule will look at the bytes of the resources and verify. The server is actually serving what it says it is, and where applicable, that is specifying the proper charset.”
In total, the company created 30 rules across 6 categories to govern how sonarwhal will operate. Microsoft says more will come as development continues.