Skip to content

fix: ignore .woff2 and modern static-asset extensions#3

Merged
marcin-prerender merged 1 commit into
prerender:mainfrom
marcin-prerender:fix/ignore-woff2-and-modern-static-assets
Jun 12, 2026
Merged

fix: ignore .woff2 and modern static-asset extensions#3
marcin-prerender merged 1 commit into
prerender:mainfrom
marcin-prerender:fix/ignore-woff2-and-modern-static-assets

Conversation

@marcin-prerender

Copy link
Copy Markdown
Contributor

The bug(s)

Two related issues kept modern static assets flowing into the render service:

  1. Incomplete default blacklist. The blocklist predates several modern asset formats. *.woff2 was already present here, but *.otf, *.eot, *.webp, *.avif, *.webmanifest were missing.
  2. Query strings defeat the blacklist entirely. PrerenderMiddleware matched blacklist patterns with Str::is against $request->getRequestUri(), which includes the query string. So a bot request for /font.woff2?v=3 did not match *.woff2 and was forwarded to the Prerender service. Cache-busting query params (?v=, ?ver=, hashes) are ubiquitous on font/asset URLs, so in practice the suffix blacklist was silently bypassed for a large share of asset traffic.

Live evidence

Verified against prerender.io itself: Googlebot requesting prerender.io's own inter-*.woff2 font gets a 504 (the same request with a normal browser UA returns 200), while .css/.js requests correctly bypass the integration. Static assets should never be sent to the render service.

Coordinated propagation

This propagates the canonical update to the integration contract's static-asset ignore list (CONTRACT.md §3): prerender/integration-contract#1. The same fix is being applied across the official integration repos.

Changes

  • config/prerender.php: added *.otf, *.eot, *.webp, *.avif, *.webmanifest to the default blacklist.
  • src/PrerenderMiddleware.php: blacklist matching now strips the query string (everything from ?) from both the request URI and the Referer header before Str::is matching. The request side otherwise still uses getRequestUri() (base path preserved); the Referer is still matched as a full URL, just without its query string.
  • tests/Feature/PrerenderMiddlewareTest.php: new test — a bot request for /font.woff2?v=3 passes through (fixture blacklist extended with *.woff2).
  • README.md: documented that blacklist matching ignores query strings.

Behavior changes (please review)

  • Blacklisted suffix patterns now also match URLs with query strings — URLs like /font.woff2?v=3 will no longer be prerendered. This is the intent of the fix.
  • Blacklist patterns that deliberately matched on query-string content (e.g. *?nocache*) will no longer match. The default config contains no such patterns, but user configs could.
  • The whitelist check is intentionally untouched and still matches against the full request URI including the query string.
  • The Referer-based blacklist check now also ignores the Referer's query string (symmetric with the request side).

Tests

Not run locally — no php/composer toolchain on this machine (which php composer came up empty). CI should run the Pest suite (PrerenderMiddlewareTest + ContractTest).

🤖 Generated with Claude Code

Two related fixes to keep static assets out of the render service:

1. The default blacklist predates several modern asset formats. Add
   *.otf, *.eot, *.webp, *.avif, *.webmanifest (woff2 was already
   present), aligning with the integration contract (CONTRACT.md §3).

2. Blacklist matching used Str::is against getRequestUri(), which
   includes the query string — so /font.woff2?v=3 did not match
   *.woff2 and was forwarded to the Prerender service. Strip the
   query string from both the request URI and the Referer before
   matching.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@marcin-prerender marcin-prerender merged commit 9a5b575 into prerender:main Jun 12, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants