fix: ignore .woff2 and modern static-asset extensions#3
Merged
marcin-prerender merged 1 commit intoJun 12, 2026
Conversation
Two related fixes to keep static assets out of the render service: 1. The default blacklist predates several modern asset formats. Add *.otf, *.eot, *.webp, *.avif, *.webmanifest (woff2 was already present), aligning with the integration contract (CONTRACT.md §3). 2. Blacklist matching used Str::is against getRequestUri(), which includes the query string — so /font.woff2?v=3 did not match *.woff2 and was forwarded to the Prerender service. Strip the query string from both the request URI and the Referer before matching. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
OpsBeaconCharles
approved these changes
Jun 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The bug(s)
Two related issues kept modern static assets flowing into the render service:
*.woff2was already present here, but*.otf,*.eot,*.webp,*.avif,*.webmanifestwere missing.PrerenderMiddlewarematched blacklist patterns withStr::isagainst$request->getRequestUri(), which includes the query string. So a bot request for/font.woff2?v=3did not match*.woff2and was forwarded to the Prerender service. Cache-busting query params (?v=,?ver=, hashes) are ubiquitous on font/asset URLs, so in practice the suffix blacklist was silently bypassed for a large share of asset traffic.Live evidence
Verified against prerender.io itself: Googlebot requesting prerender.io's own
inter-*.woff2font gets a 504 (the same request with a normal browser UA returns 200), while.css/.jsrequests correctly bypass the integration. Static assets should never be sent to the render service.Coordinated propagation
This propagates the canonical update to the integration contract's static-asset ignore list (CONTRACT.md §3): prerender/integration-contract#1. The same fix is being applied across the official integration repos.
Changes
config/prerender.php: added*.otf,*.eot,*.webp,*.avif,*.webmanifestto the defaultblacklist.src/PrerenderMiddleware.php: blacklist matching now strips the query string (everything from?) from both the request URI and theRefererheader beforeStr::ismatching. The request side otherwise still usesgetRequestUri()(base path preserved); the Referer is still matched as a full URL, just without its query string.tests/Feature/PrerenderMiddlewareTest.php: new test — a bot request for/font.woff2?v=3passes through (fixture blacklist extended with*.woff2).README.md: documented that blacklist matching ignores query strings.Behavior changes (please review)
/font.woff2?v=3will no longer be prerendered. This is the intent of the fix.*?nocache*) will no longer match. The default config contains no such patterns, but user configs could.Tests
Not run locally — no
php/composertoolchain on this machine (which php composercame up empty). CI should run the Pest suite (PrerenderMiddlewareTest+ContractTest).🤖 Generated with Claude Code