From 59a63e414c821836909608ac2f8db7d5524cdc84 Mon Sep 17 00:00:00 2001
From: Faisal Ahammad <faisalahammad24@gmail.com>
Date: Thu, 12 Feb 2026 22:44:34 +0600
Subject: [PATCH] Fix #1156: Enable EnqueuedResourceOffloading check to detect
 external CDN usage

This commit enables the existing EnqueuedResourceOffloadingSniff in the
plugin-check ruleset to detect when plugins load external assets from
third-party CDNs without user consent, addressing a privacy guideline
violation (WordPress.org guideline #7).

The sniff already existed and was fully functional with comprehensive
unit tests, but was not included in the plugin-check.ruleset.xml file.
This simple addition now ensures PCP will flag CDN usage from jsdelivr,
unpkg, cloudflare, bootstrapcdn, and 20+ other known CDN services.
---
 phpcs-rulesets/plugin-check.ruleset.xml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/phpcs-rulesets/plugin-check.ruleset.xml b/phpcs-rulesets/plugin-check.ruleset.xml
index ab760d7d5..e387c77fc 100644
--- a/phpcs-rulesets/plugin-check.ruleset.xml
+++ b/phpcs-rulesets/plugin-check.ruleset.xml
@@ -158,4 +158,9 @@
 	<!-- Check for discouraged functions. -->
 	<rule ref="PluginCheck.CodeAnalysis.DiscouragedFunctions"/>
 
+	<!-- Check for external CDN asset loading (privacy guideline #7). -->
+	<rule ref="PluginCheck.CodeAnalysis.EnqueuedResourceOffloading">
+		<severity>7</severity>
+	</rule>
+
 </ruleset>