Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Theme Check] Add allowedDomains check for RemoteAsset theme checker #711

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Theme Check] Add allowedDomains check for RemoteAsset theme checker #711

wants to merge 1 commit into from

Conversation

zacariec
Copy link
Contributor

I'll update the PR template based on the revised commit message that focuses on developer experience and performance:

What are you adding in this PR?

Fixes #410

This PR adds domain validation to the RemoteAsset theme checker to ensure remote assets (scripts, stylesheets) are loaded from Shopify CDNs and approved domains. When a remote asset is referenced from an unlisted domain, the checker will provide guidance to help developers optimize performance and follow best practices.

Key changes:

  • New allowedDomains configuration in RemoteAsset check schema
  • Domain validation logic that checks resources against approved domains
  • Performance-focused warning messages guiding developers to use CDNs
  • Test coverage for both allowed and non-allowed domain scenarios

What's next? Any followup issues?

Potential follow-ups:

  • Add documentation about approved domains and CDN usage
  • Consider updating existing warnings when not using Shopify CDN to also flag they can add as an allowed domain
  • Consider creating a guide for determining which domains should be allowlisted

What did you learn?

The variety of ways developers include remote assets highlighted the need for clear guidance on performance best practices. The test cases helped identify common patterns in how external resources are referenced in themes.

Before you deploy

  • This PR includes a new checks or changes the configuration of a check
    • I included a patch bump changeset
    • It's in the allChecks array in src/checks/index.ts
    • I ran yarn build and committed the updated configuration files
    • If applicable, I've updated the theme-app-extension.yml config (N/A - performance check applies to all themes)
  • I included a minor bump changeset
  • My feature is backward compatible

@zacariec zacariec requested a review from a team as a code owner January 16, 2025 06:30
@zacariec zacariec changed the title Add allowedDomains check for RemoteAsset theme checker [Theme Check] Add allowedDomains check for RemoteAsset theme checker Jan 16, 2025
@zacariec zacariec marked this pull request as draft January 16, 2025 08:53
charlespwd
charlespwd reviewed Jan 17, 2025
View reviewed changes
packages/theme-check-common/src/checks/remote-asset/index.ts
const urlObj = new URL(url);
return SHOPIFY_CDN_DOMAINS.includes(urlObj.hostname);
return [...SHOPIFY_CDN_DOMAINS, ...allowedDomains].includes(urlObj.hostname);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should allowedDomains be normalized before doing the include check? IIRC .includes compares using strict equality, this would fail in the case a user puts in http://domain.com in their config since urlObj.hostName would compare domain.com with http://domain.com which does not match exactly.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@charlespwd good point, inline with how we check i've introduced a normalise func that takes an array of strings and returns a new array of mapped strings.

String normalisation follows web URL standard and returns the hostname for comparison.

@zacariec
Add allowedDomains check for RemoteAsset theme checker
21fbba9 
Enhances developer experience by validating the remote assets (scripts,
stylesheets) are loaded not only from Shopify CDNs but now approved
domains. This prevents potential performance risks and incorrect errors
from loading resources from untrusted sources, forcing developers to go
and enable a source if it's _required_

The implementation includes:
- Schema property for configuring allowedDomains
- Domain validation against configured allow list
- Test coverage for both allowed and non-allowed domains

Reverted minor changeset to patch bump

Fixed prettier issues

Refactor domain list from global to parameter

Changes domain validation to accept allowedDomains as a parameter
instead of mutating a global array. This improves code clarity and
testability by making data flow explicit.

The change reduces side effets by:
- Removing relince on shared mutable state
- Making dpendencies clear through function signatures
- Enabling better unit testing of domain validation logic

Added file formatting

Add normalisaztion & tests.

- Added normalization to domains
- Added extra tests to test against and for normalisation of strings.

Update domains in test

refactor: remove redundant regex validation in normaliseAllowedDomains

- Remove regex pre-validation since new URL() already enforces strict
URL standards
- Simplify code by relying solely on new URL() for validation and
normalisation
@zacariec zacariec self-assigned this Jan 28, 2025
@zacariec zacariec marked this pull request as ready for review January 28, 2025 03:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@charlespwd charlespwd charlespwd left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@zacariec zacariec

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add config exceptions to Remote Asset check
2 participants
@zacariec @charlespwd