Use HTML Tag Processor to audit blocking scripts & styles in Site Health’s enqueued-assets test

[b1ink0]

Summary

Fixes #2030

Relevant technical choices

This PR overhauls the Site Health "Enqueued Scripts" and "Enqueued Styles" tests to accurately detect and report only truly render-blocking scripts and styles, whether loaded from external files or defined inline. It achieves this by performing an unauthenticated loopback request and analyzing the resulting front-end HTML with the WP_HTML_Tag_Processor.

[b1ink0]

Currently, our audit only scans assets located in the WordPress content directory. This raises an question,
how should the audit treat scripts and styles served from a CDN? Should these third-party resources be included in the render-blocking report, excluded entirely, or perhaps flagged separately so we can distinguish external blocking assets from local ones?

I think we’ll also need to consider how to measure their sizes efficiently. One approach could be, sending an HTTP HEAD request to the CDN-hosted URL to check for a Content‑Length header.

[b1ink0]

cc: @westonruter

[westonruter]

From a performance perspective, CDN-served assets could be even worse for performance since they require a new TCP connection, now that browsers don't reuse cached resources across origins. So we definitely should be including them in the render-blocking report.

Sending an HTTP HEAD request for all resources regardless of whether they are on the same origin or not makes sense to me. If the request returns in a 404 then this would be important to report as well.

Once we have the report, then a future enhancement would be digging in to find the theme/plugin responsible for the resource being added in the first place. The AMP plugin implements a lot of this, and it was getting extracted a separate package via https://github.com/GoogleChromeLabs/wp-origination but that effort got stalled and was abandoned. See also #1095.

[b1ink0]

Should we consider a case where a HEAD request does not return a content length due to server configuration? If so, should we then make a GET request?

[westonruter]

Perhaps, but that might be overkill.

[b1ink0]

We currently skip any URL containing wp-includes (i.e. core assets). Since the goal is to surface all render-blocking resources, should we remove that exclusion and include core scripts and styles in the audit as well?

[westonruter]

I think this exclusion should be removed, yes.

[b1ink0]

Currently each inline SCRIPT is reported as its own entry, do we want to continue treating every inline script separately, or would it make sense to aggregate inline scripts into a single summary?

[westonruter]

I don't think inline scripts need to be counted since the render blocking is not significant compared to blocking external scripts.

[codecov]

Codecov Report

Attention: Patch coverage is 90.32258% with 9 lines in your changes missing coverage. Please review.

Project coverage is 67.75%. Comparing base (ff5cc68) to head (e58e451).
Report is 29 commits behind head on trunk.

Files with missing lines	Patch %	Lines
...cludes/site-health/audit-enqueued-assets/hooks.php	91.07%	5 Missing ⚠️
...ludes/site-health/audit-enqueued-assets/helper.php	89.18%	4 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##            trunk    #2059      +/-   ##
==========================================
- Coverage   68.03%   67.75%   -0.29%     
==========================================
  Files          92       93       +1     
  Lines        7631     7688      +57     
==========================================
+ Hits         5192     5209      +17     
- Misses       2439     2479      +40     

Flag	Coverage Δ
multisite	67.75% <90.32%> (-0.29%)	⬇️
single	36.96% <90.32%> (-0.06%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[westonruter]

I think it would make sense to combine these two transients into one aea_blocking_assets, or something like that

[westonruter]

Suggested change

	if ( false !== strpos( $resource_url, '?' ) ) {
	$resource_url = substr( $resource_url, 0, strpos( $resource_url, '?' ) );
	}
	$resource_url = preg_replace( '/\?.*/', '', $resource_url );

Nevertheless, the perflab_aea_get_path_from_resource_url() function isn't being used now anymore, right?

[b1ink0]

Yes its not being used anymore I just put comment about it here #2059 (comment).

[b1ink0]

Does it make sense to remove the function perflab_aea_get_path_from_resource_url entirely, as a HEAD request is now made for local assets as well?

performance/plugins/performance-lab/includes/site-health/audit-enqueued-assets/helper.php

Lines 281 to 291 in 8856a14

	/**
	* Convert full URL paths to absolute paths.
	* Covers Standard WP configuration, wp-content outside WP directories and subdirectories.
	* Ex: https://example.com/content/themes/, https://example.com/wp/wp-includes/
	*
	* @since 1.0.0
	*
	* @param string $resource_url URl resource link.
	* @return string Returns absolute path to the resource.
	*/
	function perflab_aea_get_path_from_resource_url( string $resource_url ): string {

[westonruter]

Yes, I think the function can be removed.

[westonruter]

If the site has HTTP Basic auth, then these can be copied in the request headers. This is done in core in the plugin/theme file editors.

[westonruter]

Suggested change

	if ( is_string( $type ) && '' !== $type && 'text/javascript' !== strtolower( $type ) ) {
	if ( 'text/javascript' !== strtolower( (string) $type ) ) {

[b1ink0]

Here, it is necessary to keep '' !== $type since an empty string value for type is considered valid in JavaScript.

Then it can be done like this:

Suggested change

	if ( is_string( $type ) && '' !== $type && 'text/javascript' !== strtolower( $type ) ) {
	if ( '' !== $type && 'text/javascript' !== strtolower( (string) $type ) ) {

[b1ink0]

Okay, this change breaks things because the get_attribute method returns null when the attribute is not present. Therefore, a null !== $type check or the previous is_string( $type ) check needs to be added explicitly.

which check would be better?

[westonruter]

Here, it is necessary to keep '' !== $type since an empty string value for type is considered valid in JavaScript.

Right, this is executed:

<script type>document.write('hello');</script>

There's also this code in core which is relevant here:

https://github.com/WordPress/wordpress-develop/blob/27233a0a3b00cc5d683080722711bca15970fe8c/src/wp-includes/script-loader.php#L2948-L2958

With the HTML API, the tag would be JavaScript if:

1. The type attribute is absent ($type === null)
2. The type attribute is boolean and has no value ($type === true)
3. The type attribute is an empty string ($type === ''), but not if the value has whitespace in which case it is not executed.
4. The type attribute contains javascript, ecmascript, jscript, or livescript.

[westonruter]

There is another special case to consider here, and that is a classic hack for non-blocking stylesheets.

This is commonly implemented by adding media="print" and onload="this.media = 'screen'":

https://www.filamentgroup.com/lab/load-css-simpler/
https://scottjehl.com/posts/async-css-already/

So this case can be accounted for as well. Namely, this can just skip considering any stylesheets which have a media attribute that begins with anything other than all or screen.