Merge branch 'main' into privacy-sql-2025

Author: max-ostapenko

sql/2025/security/cookie_age_percentiles.sql

@@ -37,7 +37,7 @@ LANGUAGE js AS '''
 WITH age_values AS (
   SELECT
     client,
-    getCookieAgeValues(response_headers.value, INT64(summary.startedDateTime)) AS values
+    getCookieAgeValues(response_headers.value, UNIX_SECONDS(TIMESTAMP(STRING(payload.startedDateTime)))) AS values
   FROM
     `httparchive.crawl.requests`,
     UNNEST(response_headers) AS response_headers

sql/2025/security/cookie_max_age_expires_top_values.sql

@@ -34,7 +34,7 @@ WITH max_age_values AS (
   FROM
     `httparchive.crawl.requests`,
     UNNEST(response_headers) AS rh,
-    UNNEST(JSON_QUERY_ARRAY(getCookieAgeValues(rh.value, INT64(summary.startedDateTime))), '$.maxAge') AS max_age_value
+    UNNEST(JSON_QUERY_ARRAY(getCookieAgeValues(rh.value, INT64(summary.startedDateTime)), '$.maxAge')) AS max_age_value
   WHERE
     date = '2025-07-01' AND
     is_root_page AND
@@ -46,7 +46,7 @@ expires_values AS (
     client,
     expires_value
   FROM
-    `httparchive.all.requests`,
+    `httparchive.crawl.requests`,
     UNNEST(response_headers) AS rh,
     UNNEST(JSON_QUERY_ARRAY(getCookieAgeValues(rh.value, INT64(summary.startedDateTime)), '$.expires')) AS expires_value
   WHERE

sql/2025/security/csp_script_source_list_keywords_per_request.sql

@@ -24,18 +24,19 @@ FROM (
   SELECT
     client,
     COUNT(0) AS total_pages_with_csp,
-    COUNTIF(csp_header IS NOT NULL) AS freq_csp,
-    COUNTIF(REGEXP_CONTAINS(csp_header, '(?i)(default|script)-src')) AS freq_default_script_src,
-    COUNTIF(REGEXP_CONTAINS(csp_header, '(?i)(default|script)-src[^;]+strict-dynamic')) AS freq_strict_dynamic,
-    COUNTIF(REGEXP_CONTAINS(csp_header, '(?i)(default|script)-src[^;]+nonce-')) AS freq_nonce,
-    COUNTIF(REGEXP_CONTAINS(csp_header, '(?i)(default|script)-src[^;]+unsafe-inline')) AS freq_script_unsafe_inline,
-    COUNTIF(REGEXP_CONTAINS(csp_header, '(?i)(default|script)-src[^;]+unsafe-eval')) AS freq_script_unsafe_eval,
-    COUNTIF(REGEXP_CONTAINS(csp_header, '(?i)unsafe-inline')) AS freq_unsafe_inline,
-    COUNTIF(REGEXP_CONTAINS(csp_header, '(?i)unsafe-eval')) AS freq_unsafe_eval
+    COUNTIF(csp_combined IS NOT NULL) AS freq_csp,
+    COUNTIF(REGEXP_CONTAINS(csp_combined, '(?i)(default|script)-src')) AS freq_default_script_src,
+    COUNTIF(REGEXP_CONTAINS(csp_combined, '(?i)(default|script)-src[^;]+strict-dynamic')) AS freq_strict_dynamic,
+    COUNTIF(REGEXP_CONTAINS(csp_combined, '(?i)(default|script)-src[^;]+nonce-')) AS freq_nonce,
+    COUNTIF(REGEXP_CONTAINS(csp_combined, '(?i)(default|script)-src[^;]+unsafe-inline')) AS freq_script_unsafe_inline,
+    COUNTIF(REGEXP_CONTAINS(csp_combined, '(?i)(default|script)-src[^;]+unsafe-eval')) AS freq_script_unsafe_eval,
+    COUNTIF(REGEXP_CONTAINS(csp_combined, '(?i)unsafe-inline')) AS freq_unsafe_inline,
+    COUNTIF(REGEXP_CONTAINS(csp_combined, '(?i)unsafe-eval')) AS freq_unsafe_eval
   FROM (
     SELECT
       client,
-      response_headers.value AS csp_header
+      url,
+      STRING_AGG(response_headers.value, '; ') AS csp_combined
     FROM
       `httparchive.crawl.requests`,
       UNNEST(response_headers) AS response_headers
@@ -44,6 +45,8 @@ FROM (
       is_root_page AND
       is_main_document AND
       LOWER(response_headers.name) = 'content-security-policy'
+    GROUP BY
+      client, url
   )
   GROUP BY
     client

sql/2025/security/hsts_attributes.sql

@@ -3,23 +3,25 @@
 # Question: How many websites use HSTS includeSubDomains and preload?
 SELECT
   client,
-  COUNT(0) AS total_requests,
-  COUNTIF(hsts_header_val IS NOT NULL) AS total_hsts_headers,
-  COUNTIF(hsts_header_val IS NOT NULL) / COUNT(0) AS pct_hsts_requests,
-  COUNTIF(REGEXP_CONTAINS(hsts_header_val, r'(?i)max-age\s*=\s*\d+') AND NOT REGEXP_CONTAINS(CONCAT(hsts_header_val, ' '), r'(?i)max-age\s*=\s*0\W')) / COUNTIF(hsts_header_val IS NOT NULL) AS pct_valid_max_age,
-  COUNTIF(REGEXP_CONTAINS(CONCAT(hsts_header_val, ' '), r'(?i)max-age\s*=\s*0\W')) / COUNTIF(hsts_header_val IS NOT NULL) AS pct_zero_max_age,
-  COUNTIF(REGEXP_CONTAINS(hsts_header_val, r'(?i)includeSubDomains')) / COUNTIF(hsts_header_val IS NOT NULL) AS pct_include_subdomains,
-  COUNTIF(REGEXP_CONTAINS(hsts_header_val, r'(?i)preload')) / COUNTIF(hsts_header_val IS NOT NULL) AS pct_preload
+  COUNT(0) AS total_requests_with_hsts_header,
+  COUNTIF(hsts_header_val IS NOT NULL) AS total_non_null_hsts_headers,
+  SAFE_DIVIDE(COUNTIF(hsts_header_val IS NOT NULL), COUNT(0)) AS pct_hsts_requests,
+  SAFE_DIVIDE(COUNTIF(REGEXP_CONTAINS(hsts_header_val, r'(?i)max-age\s*=\s*\d+') AND NOT REGEXP_CONTAINS(CONCAT(hsts_header_val, ' '), r'(?i)max-age\s*=\s*0\W')), COUNTIF(hsts_header_val IS NOT NULL)) AS pct_valid_max_age,
+  SAFE_DIVIDE(COUNTIF(REGEXP_CONTAINS(CONCAT(hsts_header_val, ' '), r'(?i)max-age\s*=\s*0\W')), COUNTIF(hsts_header_val IS NOT NULL)) AS pct_zero_max_age,
+  SAFE_DIVIDE(COUNTIF(REGEXP_CONTAINS(hsts_header_val, r'(?i)includeSubDomains')), COUNTIF(hsts_header_val IS NOT NULL)) AS pct_include_subdomains,
+  SAFE_DIVIDE(COUNTIF(REGEXP_CONTAINS(hsts_header_val, r'(?i)preload')), COUNTIF(hsts_header_val IS NOT NULL)) AS pct_preload
 FROM (
   SELECT
     client,
-    REGEXP_EXTRACT(summary.respOtherHeaders, r'(?i)strict-transport-security =([^,]+)') AS hsts_header_val
+    response_headers.value AS hsts_header_val
   FROM
-    `httparchive.crawl.requests`
+    `httparchive.crawl.requests`,
+    UNNEST(response_headers) AS response_headers
   WHERE
     date = '2025-07-01' AND
     is_root_page AND
-    is_main_document
+    is_main_document AND
+    LOWER(response_headers.name) = 'strict-transport-security'
 )
 GROUP BY
   client

sql/2025/security/https_server_redirects.sql

@@ -8,10 +8,11 @@ SELECT
   COUNT(DISTINCT url) AS total_urls_on_page,
   COUNT(DISTINCT(CASE WHEN url LIKE 'http://%' THEN url END)) AS count_http_urls_on_page,
   COUNT(DISTINCT(CASE WHEN url LIKE 'http://%' THEN url END)) / COUNT(DISTINCT url) AS pct_http_urls_on_page,
-  COUNT(DISTINCT(CASE WHEN url LIKE 'http://%' AND STRING(summary.resp_location) LIKE 'https://%' AND INT64(summary.status) BETWEEN 300 AND 399 THEN url END)) AS count_http_urls_with_https_redirect_on_page,
-  COUNT(DISTINCT(CASE WHEN url LIKE 'http://%' AND STRING(summary.resp_location) LIKE 'https://%' AND INT64(summary.status) BETWEEN 300 AND 399 THEN url END)) / COUNT(DISTINCT(CASE WHEN url LIKE 'http://%' THEN url END)) AS pct_http_urls_with_https_redirect_on_page
+  COUNT(DISTINCT(CASE WHEN url LIKE 'http://%' AND (SELECT value FROM UNNEST(response_headers) WHERE LOWER(name) = 'location' LIMIT 1) LIKE 'https://%' AND INT64(summary.status) BETWEEN 300 AND 399 THEN url END)) AS count_http_urls_with_https_redirect_on_page, -- noqa: AM09
+  COUNT(DISTINCT(CASE WHEN url LIKE 'http://%' AND (SELECT value FROM UNNEST(response_headers) WHERE LOWER(name) = 'location' LIMIT 1) LIKE 'https://%' AND INT64(summary.status) BETWEEN 300 AND 399 THEN url END)) / COUNT(DISTINCT(CASE WHEN url LIKE 'http://%' THEN url END)) AS pct_http_urls_with_https_redirect_on_page -- noqa: AM09
 FROM
-  `httparchive.crawl.requests`
+  `httparchive.crawl.requests`,
+  UNNEST(response_headers) AS response_headers
 WHERE
   date = '2025-07-01' AND
   is_root_page

sql/2025/security/robot_txt_sensitive_disallow.sql

@@ -4,16 +4,10 @@
 CREATE TEMPORARY FUNCTION getAllDisallowedEndpoints(data JSON)
 RETURNS ARRAY<STRING> DETERMINISTIC
 LANGUAGE js AS '''
-  let parsed_data;
-  try {
-    parsed_data = JSON.parse(data);
-  } catch (e) {
+  if (data == null || data["/robots.txt"] == undefined || !data["/robots.txt"]["found"]) {
       return [];
   }
-  if (parsed_data == null || parsed_data["/robots.txt"] == undefined || !parsed_data["/robots.txt"]["found"]) {
-      return [];
-  }
-  const parsed_endpoints = parsed_data["/robots.txt"]["data"]["matched_disallows"];
+  const parsed_endpoints = data["/robots.txt"]["data"]["matched_disallows"];
   const endpoints_list = Object.keys(parsed_endpoints).map(key => parsed_endpoints[key]).flat();
   return Array.from(new Set(endpoints_list));
 ''';

sql/2025/security/sri_coverage_per_page.sql

@@ -1,7 +1,7 @@
 #standardSQL
 # Section: Content Inclusion - Subresource Integriy
 # Question: How many scripts on a page have the integrity attribute? (percentage)
-CREATE TEMP FUNCTION getNumScriptElements(sris ARRAY<STRING>) AS (
+CREATE TEMP FUNCTION getNumScriptElements(sris ARRAY<JSON>) AS (
   (SELECT COUNT(0) FROM UNNEST(sris) AS sri WHERE JSON_EXTRACT_SCALAR(sri, '$.tagname') = 'script')
 );
 

sql/2025/security/tls_ca_issuers_pages_over_time.sql

@@ -3,6 +3,7 @@
 # Question: What is the distribution of CA issuers for all pages over time?
 # Note: currently includes HTTP (i.e., pages with no issuer)
 SELECT
+  date,
   client,
   issuer,
   SUM(COUNT(0)) OVER (PARTITION BY client, date) AS total_https_pages,
@@ -23,10 +24,12 @@ FROM (
   GROUP BY
     client,
     request_host,
-    issuer
+    issuer,
+    date
 )
 GROUP BY
   client,
-  issuer
+  issuer,
+  date
 ORDER BY
-  pct DESC
+  date DESC

sql/2025/sustainability/cache_header_usage.sql

@@ -0,0 +1,104 @@
+#standardSQL
+# The distribution of cache header adoption on websites by client.
+
+SELECT
+  client,
+  COUNT(0) AS total_requests,
+
+  COUNTIF(uses_cache_control) AS total_using_cache_control,
+  COUNTIF(uses_max_age) AS total_using_max_age,
+  COUNTIF(uses_expires) AS total_using_expires,
+  COUNTIF(uses_max_age AND uses_expires) AS total_using_max_age_and_expires,
+  COUNTIF(
+    uses_cache_control AND uses_expires
+  ) AS total_using_both_cc_and_expires,
+  COUNTIF(
+    NOT uses_cache_control AND NOT uses_expires
+  ) AS total_using_neither_cc_and_expires,
+  COUNTIF(
+    uses_cache_control AND NOT uses_expires
+  ) AS total_using_only_cache_control,
+  COUNTIF(
+    NOT uses_cache_control AND uses_expires
+  ) AS total_using_only_expires,
+
+  COUNTIF(uses_cache_control) / COUNT(0) AS pct_cache_control,
+  COUNTIF(uses_max_age) / COUNT(0) AS pct_using_max_age,
+  COUNTIF(uses_expires) / COUNT(0) AS pct_using_expires,
+  COUNTIF(
+    uses_max_age AND uses_expires
+  ) / COUNT(0) AS pct_using_max_age_and_expires,
+  COUNTIF(
+    uses_cache_control AND uses_expires
+  ) / COUNT(0) AS pct_using_both_cc_and_expires,
+  COUNTIF(
+    NOT uses_cache_control AND NOT uses_expires
+  ) / COUNT(0) AS pct_using_neither_cc_nor_expires,
+  COUNTIF(
+    uses_cache_control AND NOT uses_expires
+  ) / COUNT(0) AS pct_using_only_cache_control,
+  COUNTIF(
+    NOT uses_cache_control AND uses_expires
+  ) / COUNT(0) AS pct_using_only_expires
+
+FROM (
+  SELECT
+    client,
+    url,
+    LOGICAL_OR(
+      header.name = 'expires' AND header.value IS NOT NULL AND TRIM(
+        header.value
+      ) != ''
+    ) AS uses_expires,
+    LOGICAL_OR(
+      header.name = 'cache-control' AND
+      header.value IS NOT NULL AND
+      TRIM(header.value) != ''
+    ) AS uses_cache_control,
+    LOGICAL_OR(
+      header.name = 'cache-control' AND REGEXP_CONTAINS(
+        header.value, r'(?i)max-age\s*=\s*[0-9]+'
+      )
+    ) AS uses_max_age,
+
+    LOGICAL_OR(
+      header.name = 'etag' AND (
+        header.value IS NULL OR TRIM(header.value) = ''
+      )
+    ) AS uses_no_etag,
+    LOGICAL_OR(
+      header.name = 'etag' AND header.value IS NOT NULL AND TRIM(
+        header.value
+      ) != ''
+    ) AS uses_etag,
+    LOGICAL_OR(
+      header.name = 'last-modified' AND
+      header.value IS NOT NULL AND
+      TRIM(header.value) != ''
+    ) AS uses_last_modified,
+
+    LOGICAL_OR(
+      header.name = 'etag' AND REGEXP_CONTAINS(
+        TRIM(header.value), '^W/".*"'
+      )
+    ) AS uses_weak_etag,
+    LOGICAL_OR(
+      header.name = 'etag' AND REGEXP_CONTAINS(
+        TRIM(header.value), '^".*"'
+      )
+    ) AS uses_strong_etag
+
+  FROM
+    `httparchive.crawl.requests`,
+    UNNEST(response_headers) AS header
+  WHERE
+    date = '2025-07-01'
+  GROUP BY
+    client,
+    url
+)
+
+GROUP BY
+  client
+ORDER BY
+  client;

sql/2025/sustainability/cdn_adoption.sql

@@ -0,0 +1,33 @@
+#standardSQL
+# The distribution of CDN adoption on websites by client.
+
+SELECT
+  client,
+  total,
+  IF(cdn = '', 'No CDN', cdn) AS cdn,
+  COUNT(0) AS freq,
+  ROUND(100 * COUNT(0) / total, 2) AS pct
+FROM (
+  SELECT
+    client,
+    COUNT(0) AS total,
+    ARRAY_CONCAT_AGG(
+      SPLIT(JSON_VALUE(summary.cdn), ', ')
+    ) AS cdn_list
+  FROM
+    `httparchive.crawl.pages`
+  WHERE
+    date = '2025-07-01' AND
+    is_root_page = TRUE
+  GROUP BY
+    client
+),
+  UNNEST(cdn_list) AS cdn
+GROUP BY
+  client,
+  cdn,
+  total
+ORDER BY
+  pct DESC,
+  client ASC,
+  cdn ASC;