Skip to content

Harden Partytown reverse proxy recipe#3809

Open
fredericoo wants to merge 1 commit into
mainfrom
fb-fix-partytown-reverse-proxy
Open

Harden Partytown reverse proxy recipe#3809
fredericoo wants to merge 1 commit into
mainfrom
fb-fix-partytown-reverse-proxy

Conversation

@fredericoo

@fredericoo fredericoo commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

WHY are these changes introduced?

Fixes #3808

The Partytown recipe is production guidance, and its reverse proxy should not serve arbitrary upstream content as same-origin storefront content. The previous route allowlisted request origins, but it still forwarded upstream response types directly and let fetch() follow redirects before the recipe could validate the final target.

WHAT is this pull request doing?

  • Requires proxied responses to use a JavaScript content type before forwarding them.
  • Uses manual redirect handling so every Location is checked against the allowlist before the next request is made.
  • Adds X-Content-Type-Options: nosniff and a restrictive CSP to successful proxied responses.
  • Regenerates the Partytown recipe README and LLM prompt, and updates the recipe package patch so it applies after catalog/workspace resolution.

HOW to test your changes?

  • pnpm --dir cookbook exec vitest run recipes/partytown/__tests__/partytown.test.ts
  • pnpm exec prettier --check cookbook/recipes/partytown/__tests__/partytown.test.ts cookbook/recipes/partytown/ingredients/templates/skeleton/app/routes/reverse-proxy.ts
  • patch --dry-run -p1 < cookbook/recipes/partytown/patches/package.json.8e0ff5.patch && patch --dry-run -p1 < cookbook/recipes/partytown/patches/README.md.1764cd.patch
  • git diff --check

Validation caveat: pnpm --dir cookbook exec ts-node src/index.ts validate --recipe partytown applies the recipe cleanly, then fails during skeleton codegen with [Codegen] Could not find a schema for "storefront". Retrying with the shared snapshot package version also applies the recipe cleanly, then fails during codegen on the React Router future.unstable_splitRouteModules flag rename.

Checklist

  • I've read the Contributing Guidelines
  • I've considered possible cross-platform impacts (Mac, Linux, Windows)
  • I've added a changeset if this PR contains user-facing or functional changes. Test changes or internal-only config changes do not require a changeset.
  • I've added tests to cover my changes
  • I've added or updated the documentation

@fredericoo
fix(cookbook): harden partytown reverse proxy
f0c35f2 
The Partytown recipe is production guidance, so its same-origin proxy needs to fail closed instead of forwarding unsafe upstream content. This rejects non-JavaScript responses, validates redirects before following them, and adds defensive response headers while regenerating the recipe README and LLM prompt.
@shopify

shopify Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

Oxygen deployed a preview of your fb-fix-partytown-reverse-proxy branch. Details:

Storefront Status Preview link Deployment details Last update (UTC)
Skeleton (skeleton.hydrogen.shop) ✅ Successful (Logs) Preview deployment Inspect deployment June 17, 2026 4:31 PM

Learn more about Hydrogen's GitHub integration.

@fredericoo fredericoo marked this pull request as ready for review June 17, 2026 16:34
@fredericoo fredericoo requested a review from a team as a code owner June 17, 2026 16:34
@fredericoo fredericoo requested review from andguy95 and frandiox June 18, 2026 18:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@frandiox frandiox Awaiting requested review from frandiox

@andguy95 andguy95 Awaiting requested review from andguy95

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Hackerone security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Harden the Partytown reverse proxy recipe

1 participant

@fredericoo