PCP does not detect external CDN asset loading (privacy guideline violation) #1156
Description
While testing a plugin, I noticed it loads assets from an external CDN without explicit user consent. This is not allowed under the WordPress.org plugin guidelines, unless it's part of a SaaS integration or the user has explicitly opted in.
According to the guidelines, plugins should not offload assets like scripts or styles to external servers without consent, as this can impact user privacy.
Example from the plugin code:
if ( $this->include_phone_assets ) {
$assets[] = array(
'type' => 'css',
'handle' => self::$plugin_info['name'] . '-settings-phone-input-css',
'url' => 'https://cdn.jsdelivr.net/npm/intl-tel-input@21.2.4/build/css/intlTelInput.css',
);
$assets[] = array(
'type' => 'js',
'handle' => self::$plugin_info['name'] . '-settings-phone-input-js',
'url' => 'https://cdn.jsdelivr.net/npm/intl-tel-input@21.2.4/build/js/intlTelInput.min.js',
);
}
These assets are unrelated to a SaaS service and are loaded directly from an external CDN.
PCP did not flag this usage during testing.
Suggested reproduction steps
- Create a test plugin that enqueues CSS or JS assets from an external CDN, similar to the example above.
- Run the plugin through PCP.
- Observe that PCP does not report external asset loading or a privacy-related warning.
Expected behavior
PCP should detect and flag external asset loading from third-party CDNs when there is no clear opt-in or documented consent, especially when the assets are not tied to a SaaS service.
Suggested check
A regex pattern to detect external URLs in wp_enqueue_script() and wp_enqueue_style() calls that don't match allowed domains (like Google Fonts).