Comments (19)
And here is the gist with things that we do allow. https://gist.github.com/carolinan/7c2b002465b260ab3a74ec2d9b924c8c
from wpthemereview.
This is the rule as stated in the handbook:
Include all scripts and resources it uses rather than hot-linking. The exception to this is Google Fonts.
Maybe the title of this issue should be adjusted ? CDNs can also be used for (background/header) images and AFAICS the handbook does not (currently) explicitly prohibit that.
Another handbook ref for this:
https://make.wordpress.org/themes/handbook/review/required/theme-check-plugin/#cdn
Lastly, I'd like to see some discussion on whether the current list of CDNs which are checked for is sufficient or if more CDNs should be added and if so, which.
from wpthemereview.
https://cdnjs.com/ should be on there.
from wpthemereview.
I think this can be an ERROR. The only resources that can be hot linked are Google Fonts. Nothing else is allowed to my knowledge.
from wpthemereview.
I have a sniff ready for this.
from wpthemereview.
Hi! Do we have a decision on what CDN urls should be allowed? We should have a definite list so that we can update the #108 PR.
We should brought this up in a meeting, or if we already have this list we can add it here or in the PR so that it's merged.
from wpthemereview.
None except google fonts.
The requirement says: Include all scripts and resources.
https://make.wordpress.org/themes/handbook/review/required/#stylesheets-and-scripts
Like Kevin says this should be an error not a warning.
And we should avoid using the word "discouraged" when it is not allowed.
https://fonts.googleapis.com
https://fonts.gstatic.com
from wpthemereview.
Then we should remove the scripts that are in the whitelist section of this PR and only allow google fonts.
from wpthemereview.
I'm updating the PR at this moment. For the implementation of this, I have some additional questions to verify if I'm understanding this correctly and whether the sniff does what it's supposed to do:
- So, only google fonts are allowed, using the two URLs mentioned by @carolinan.
This means the sniff will need to be changed from blacklist to whitelist. - IIRC fonts would be registered via
wp_register_style()
orwp_enqueue_style()
. Never as a script.
If that's correct, any URL in the$source
of a script register/enqueue should always throw anerror
.
For styles, the whitelist would be checked and if not Google fonts, anerror
will be thrown. - What should the sniff do if the
$source
is a variable ? Throw awarning
? Try and walk the scope within which it is found to find the variable declaration ? - My earlier question about resources hosted on CDNs other than scripts/styles, still remains.
If this needs to be checked, code samples of what should be forbidden would be very welcome.
If the sniff is broadened beyond the register/enqueue script/style calls, it could also solve the "sniffs hiding behind each other" issue.
Note: This is something which can be added to the sniff at a later point in time.
from wpthemereview.
- seems like it would already have been whitelist
- This sniff is talking about all resources, not just styles. So any style or script or image or font or demo.xml has to be a theme URL, except for Google fonts. I'm not sure of the differences in coding when using Google Font loader as opposed to linking directly to Google Font.
- I think a warning to check the URL is good.
- See 2. The only other proposed use was for FontAwesome, and that has versions, so it could still cause conflicts.
from wpthemereview.
-
No, it was not. If you look at the PR in #108, you can see that it used a blacklist and would only throw an error if something on that list was encountered.
Blacklist approaches tend to underreport (miss things which should trigger an error), whitelist approaches tend to overreport (throw errors for things which are fine).
A whitelist approach for this sniff is going to be interesting, but complicated to implement as the
$src
can also be a local file and we'd want to minimize false positives. If the$src
, however, is passed as a variable, constant or via a nested function call, it will be very difficult in most cases to reliably determine whether a local file or a URL is being passed to the function call. -
(and 4) In that case, I need a whole lot of code samples of things which are forbidden to properly determine what to sniff for.
So, please, everyone who wants this sniff to actually be finished and merged, please leave comments with code samples of things which are not allowed.
from wpthemereview.
complicated to implement as the
$src
can also be a local file
That's the point. Everything should be a local file, except Google Fonts.
from wpthemereview.
That's the point. Everything should be a local file
I know, but that doesn't mean that it is sniffable.
from wpthemereview.
Well, it's either a variable or one of the get_template_*
functions or Google. What else do you need?
I suppose there could be a constant also, but that is discouraged.
from wpthemereview.
Actions needed
- It would be really helpful for finishing this off to have code samples of both things which should be flagged as well as things which shouldn't be. The more variety in the code samples, the better!
from wpthemereview.
This gist contains: Things we don't allow + some CSS, HTML and JS question marks
TLDR:
https://stackpath.bootstrapcdn.com
https://maxcdn.bootstrapcdn.com/
https://cdnjs.cloudflare.com/ajax/libs/
https://use.fontawesome.com/
https://ajax.googleapis.com/ajax/libs/jquery/
//code.jquery.com/ui/
and one new addition:
db.onlinewebfonts.com/
from wpthemereview.
That looks similar to the PR I put in for Theme Check. (not merged yet)
WordPress/theme-check@eec60da
from wpthemereview.
use.typekit.net also needs to be blacklisted since we do not allow it and because of licensing.
from wpthemereview.
Since we have a list of things to allow, and disallow, I'll remove the decision needed tag, so that we know this can be worked on.
from wpthemereview.
Related Issues (20)
- variables in template files are flagged as global HOT 15
- Exceptions to prefixing hook names HOT 7
- False positive on loading stylesheet in JS file HOT 4
- [New sniff] WC template versions HOT 7
- Dealing with rules that shouldn't apply to templates HOT 1
- Add sniff: WordPress.PHP.IniSet HOT 6
- [New sniff] Check if page templates are using reserved prefix HOT 1
- Detect WPTRT feature project versions HOT 3
- Add sniff documentation HOT 1
- Minimal PHP version HOT 11
- Whitelist wp_body_open function from PrefixAllGlobals sniff HOT 5
- sniff: plugin territory - action hook wp_edit_nav_menu_walker
- File name with reserved slug in subfolder HOT 11
- Optimisation and minor grammar fixes
- [Implement sniff] Warn about short ternary usage in themes HOT 9
- Internal.Exception -- function update_current_version() should be removed.
- [Update existing sniff] Allow register_block_style HOT 1
- Allow `add_menu_page` & `add_submenu_page` HOT 9
- twentyseventeen theme: posts with no date - but date is shown in similar posts HOT 1
- 👍
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from wpthemereview.