Skip to content

Add hosted HTML apps prototype to Shopify CLI#6796

Draft
elanalynn wants to merge 1 commit intomainfrom
cx-hosted-apps-cli-prototype
Draft

Add hosted HTML apps prototype to Shopify CLI#6796
elanalynn wants to merge 1 commit intomainfrom
cx-hosted-apps-cli-prototype

Conversation

@elanalynn
Copy link
Contributor

@elanalynn elanalynn commented Jan 23, 2026

This commit implements a prototype for hosted HTML applications in the Shopify CLI, based on technical requirements for static/hosted apps.

Key Features

  • New hosted_html extension type specification
  • Support for pure HTML/CSS/JS apps (no React required)
  • Iframe sandboxing with srcdoc for security isolation
  • Hash-based routing support via postMessage API
  • Static file serving with comprehensive MIME type support
  • File validation (size limits, HTTPS enforcement)
  • Dev server integration with sandboxed rendering

Files Added

  • hosted_html.ts: Extension specification with validation
  • Middleware: getHostedHtmlMiddleware() for sandboxed serving
  • Test app: Complete sample hosted HTML application
  • Documentation: HOSTED_HTML_PROTOTYPE.md

Implementation Details

Security Model

  • Iframe with srcdoc creates null origin for isolation
  • Sandbox attributes: allow-scripts, allow-same-origin, allow-forms
  • CSP headers restrict frame ancestors
  • HTTPS enforcement for external resources
  • 50MB bundle size limit

Build System

  • Uses existing copy_files build mode
  • Copies HTML, CSS, JS, images, fonts to dist/
  • Validates file types and sizes
  • Ignores node_modules, .git, test files

Dev Server

  • New route handler for hosted_html extensions
  • Wraps content in sandboxed iframe wrapper
  • Supports client-side navigation via postMessage
  • Serves assets from build directory

Technical Background

Based on internal tech docs and discussions about:

  • Asset management and CDN scalability
  • Security sandboxing similar to UI extensions
  • Content-addressable hashing for assets (future work)
  • Direct API access by default
  • Escape hatch from UI Extensions framework

Testing

Sample test app included in test-hosted-app/:

  • Demonstrates pure HTML/CSS/JS structure
  • Client-side routing example
  • Sandboxed execution validation
  • Mock API integration

Future Work

  • AMF module integration for deployment
  • Content-addressable asset hashing
  • Image optimization service integration
  • Subdomain isolation per app
  • Session token support for Shopify API

🤖 Generated with Claude Code

WHY are these changes introduced?

Fixes #0000

WHAT is this pull request doing?

How to test your changes?

Post-release steps

Measuring impact

How do we know this change was effective? Please choose one:

  • n/a - this doesn't need measurement, e.g. a linting rule or a bug-fix
  • Existing analytics will cater for this addition
  • PR includes analytics changes to measure impact

Checklist

  • I've considered possible cross-platform impacts (Mac, Linux, Windows)
  • I've considered possible documentation changes

@MitchLillie @claude
Add hosted HTML apps prototype to Shopify CLI
f43b17c 
This commit implements a prototype for hosted HTML applications in the
Shopify CLI, based on technical requirements for static/hosted apps.

## Key Features

- New `hosted_html` extension type specification
- Support for pure HTML/CSS/JS apps (no React required)
- Iframe sandboxing with srcdoc for security isolation
- Hash-based routing support via postMessage API
- Static file serving with comprehensive MIME type support
- File validation (size limits, HTTPS enforcement)
- Dev server integration with sandboxed rendering

## Files Added

- `hosted_html.ts`: Extension specification with validation
- Middleware: `getHostedHtmlMiddleware()` for sandboxed serving
- Test app: Complete sample hosted HTML application
- Documentation: HOSTED_HTML_PROTOTYPE.md

## Implementation Details

### Security Model
- Iframe with srcdoc creates null origin for isolation
- Sandbox attributes: allow-scripts, allow-same-origin, allow-forms
- CSP headers restrict frame ancestors
- HTTPS enforcement for external resources
- 50MB bundle size limit

### Build System
- Uses existing `copy_files` build mode
- Copies HTML, CSS, JS, images, fonts to dist/
- Validates file types and sizes
- Ignores node_modules, .git, test files

### Dev Server
- New route handler for hosted_html extensions
- Wraps content in sandboxed iframe wrapper
- Supports client-side navigation via postMessage
- Serves assets from build directory

## Technical Background

Based on internal tech docs and discussions about:
- Asset management and CDN scalability
- Security sandboxing similar to UI extensions
- Content-addressable hashing for assets (future work)
- Direct API access by default
- Escape hatch from UI Extensions framework

## Testing

Sample test app included in `test-hosted-app/`:
- Demonstrates pure HTML/CSS/JS structure
- Client-side routing example
- Sandboxed execution validation
- Mock API integration

## Future Work

- AMF module integration for deployment
- Content-addressable asset hashing
- Image optimization service integration
- Subdomain isolation per app
- Session token support for Shopify API

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>
@elanalynn elanalynn mentioned this pull request Jan 23, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@elanalynn @MitchLillie