Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Theme Check] Add allowedDomains check for RemoteAsset theme checker #711

Merged
merged 1 commit into from
Feb 24, 2025
Merged

[Theme Check] Add allowedDomains check for RemoteAsset theme checker #711

merged 1 commit into from
Feb 24, 2025

Conversation

zacariec
Copy link
Contributor

I'll update the PR template based on the revised commit message that focuses on developer experience and performance:

What are you adding in this PR?

Fixes #410

This PR adds domain validation to the RemoteAsset theme checker to ensure remote assets (scripts, stylesheets) are loaded from Shopify CDNs and approved domains. When a remote asset is referenced from an unlisted domain, the checker will provide guidance to help developers optimize performance and follow best practices.

Key changes:

  • New allowedDomains configuration in RemoteAsset check schema
  • Domain validation logic that checks resources against approved domains
  • Performance-focused warning messages guiding developers to use CDNs
  • Test coverage for both allowed and non-allowed domain scenarios

What's next? Any followup issues?

Potential follow-ups:

  • Add documentation about approved domains and CDN usage
  • Consider updating existing warnings when not using Shopify CDN to also flag they can add as an allowed domain
  • Consider creating a guide for determining which domains should be allowlisted

What did you learn?

The variety of ways developers include remote assets highlighted the need for clear guidance on performance best practices. The test cases helped identify common patterns in how external resources are referenced in themes.

Before you deploy

  • This PR includes a new checks or changes the configuration of a check
    • I included a patch bump changeset
    • It's in the allChecks array in src/checks/index.ts
    • I ran yarn build and committed the updated configuration files
    • If applicable, I've updated the theme-app-extension.yml config (N/A - performance check applies to all themes)
  • I included a minor bump changeset
  • My feature is backward compatible

@zacariec zacariec requested a review from a team as a code owner January 16, 2025 06:30
@zacariec zacariec changed the title Add allowedDomains check for RemoteAsset theme checker [Theme Check] Add allowedDomains check for RemoteAsset theme checker Jan 16, 2025
@zacariec zacariec marked this pull request as draft January 16, 2025 08:53
@zacariec zacariec force-pushed the issues/410 branch 2 times, most recently from 3c85c95 to 21fbba9 Compare January 28, 2025 03:26
@zacariec zacariec self-assigned this Jan 28, 2025
@zacariec zacariec marked this pull request as ready for review January 28, 2025 03:28
@zacariec zacariec requested a review from charlespwd February 11, 2025 05:21
charlespwd
charlespwd approved these changes Feb 13, 2025
View reviewed changes
Copy link
Contributor

@charlespwd charlespwd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Patch could be minor but patch is fine too

@zacariec
Add allowedDomains check for RemoteAsset theme checker
dc8c9fd 
Enhances developer experience by validating the remote assets (scripts,
stylesheets) are loaded not only from Shopify CDNs but now approved
domains. This prevents potential performance risks and incorrect errors
from loading resources from untrusted sources, forcing developers to go
and enable a source if it's _required_

The implementation includes:
- Schema property for configuring allowedDomains
- Domain validation against configured allow list
- Test coverage for both allowed and non-allowed domains

Reverted minor changeset to patch bump

Fixed prettier issues

Refactor domain list from global to parameter

Changes domain validation to accept allowedDomains as a parameter
instead of mutating a global array. This improves code clarity and
testability by making data flow explicit.

The change reduces side effets by:
- Removing relince on shared mutable state
- Making dpendencies clear through function signatures
- Enabling better unit testing of domain validation logic

Added file formatting

Add normalisaztion & tests.

- Added normalization to domains
- Added extra tests to test against and for normalisation of strings.

Update domains in test

refactor: remove redundant regex validation in normaliseAllowedDomains

- Remove regex pre-validation since new URL() already enforces strict
URL standards
- Simplify code by relying solely on new URL() for validation and
normalisation

Fixed issue where malformed URLs were throwing type errors.

The test case urls were malformed as expected, but the new URL
constructor was throwing Type Errors, which is expected if not wrapped
in a try...catch block.

Fixed by wrapping in a try...catch and returning false when malformed.
@zacariec zacariec merged commit 5afd984 into main Feb 24, 2025
6 checks passed
@zacariec zacariec deleted the issues/410 branch February 24, 2025 03:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@charlespwd charlespwd charlespwd approved these changes

Assignees

@zacariec zacariec

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add config exceptions to Remote Asset check
2 participants
@zacariec @charlespwd