Do we want to let user know if /robots.txt fails with something like HTTP 500? IMO if the response code is in HTTP 500 - 600 range we can safely report it as an issue.

User-agent: Googlebot
Disallow: / # everything is blocked for googlebot

User-agent: *
Disallow: # but allowed for everyone else

Should we fail in such case? How about robots.txt that is only blocking e.g. Googlebot-Image, or Bing, Yandex, DuckDuckGo? 🤔

For consistency with https://github.com/GoogleChrome/lighthouse/issues/3182 let's try to avoid distinguishing between crawlers. If the common case is * UAs, then that's the one we should check. If possible, it would be great to warn saying "you passed, but you're blocking googlebot".

The alternative is to fail the audit when seeing anything resembling noindex, which seems too strict.

I'd also love to see the contents echoed back in the extra info table or similar. Just showing it to users is a sort of manual validation, even if the audit passes. As a secondary benefit, this would be great for data mining later.

For the record, here is the full set of rules I've put together from various sources and implemented in the robots.txt validator:

Rules

1. request for /robots.txt doesn't return HTTP 500+
2. robots.txt file is smaller than 500kb (gziped) - this one is WIP
3. only empty lines, comments and directives (matching "name: value" format) are allowed

4. only directives from the safelist are allowed:

   'user-agent', 'disallow', // standard
   'allow', 'sitemap', // universally supported
   'crawl-delay', // yahoo, bing, yandex
   'clean-param', 'host', // yandex
   'request-rate', 'visit-time', 'noindex' // not officially supported, but used in the wild

5. there are no 'allow' or 'disallow' directives before 'user-agent'

6. 'user-agent' can't have empty value
7. 'sitemap' must provide an absolute URL with http/https/ftp scheme
8. 'allow' and 'disallow' values should be either: empty, or start with "/" or "*"
9. 'allow' and 'disallow' should not use '$' in the middle of a value (e.g. "allow: /file$html")

Test

I did run my validator against top 1000 domains and got following errors for 39 of them: https://gist.github.com/kdzwinel/b791967eb66d0e2925ea22c8ca14233a .

Resources

Various docs:

• https://developers.google.com/search/reference/robots_txt
• https://www.bing.com/webmaster/help/how-to-create-a-robots-txt-file-cb7c31ec
• https://support.google.com/webmasters/answer/6062596?hl=en
• https://yandex.com/support/webmaster/controlling-robot/robots-txt.xml
• https://github.com/VIPnytt/RobotsTxtParser/blob/master/docs/Directives.md

and online validators:

• https://www.google.com/webmasters/tools/robots-testing-tool
• https://webmaster.yandex.com/tools/robotstxt