Skip to content

fix(platform-server): harden platform location origin validation during SSR#69184

Closed
alan-agius4 wants to merge 3 commits into
angular:mainfrom
alan-agius4:platform-server-runtime-error-origin-fix
Closed

fix(platform-server): harden platform location origin validation during SSR#69184
alan-agius4 wants to merge 3 commits into
angular:mainfrom
alan-agius4:platform-server-runtime-error-origin-fix

Conversation

@alan-agius4
Copy link
Copy Markdown
Contributor

@alan-agius4 alan-agius4 commented Jun 5, 2026
edited
Loading

Align ServerPlatformLocation state modification behavior (replaceState and pushState) with the browser's HTML5 History API by enforcing same-origin validation.

In a browser environment, calling replaceState/pushState with a cross-origin URL throws a SecurityError. Previously, the emulated ServerPlatformLocation in platform-server silently allowed cross-origin state changes. If application code passed untrusted input to replaceState/pushState during SSR, this could cause the base URL to be changed, resulting in potential SSRF and credential leaks for relative HTTP requests.

To mitigate this:

  1. Add an allowOriginChange option to ResolveUrlOptions. If false, resolveUrl validates that the resolved URL's origin matches the base URL's origin.
  2. Update ServerPlatformLocation.replaceState to call resolveUrl with allowOriginChange: false.

@alan-agius4
refactor(platform-server): replace standard Error with RuntimeError
29b5cb5 
Update platform-server to use Angular 's native `RuntimeError` class.
This aligns error throwing patterns in platform-server with other packages of the framework such as core, common, and platform-browser.

For URL and host errors, the error messages are configured to return only the raw dynamic URL when `ngDevMode` is false (in production) to aid in troubleshooting without bloating production bundles.
@pullapprove pullapprove Bot requested a review from JeanMeche June 5, 2026 10:18
@alan-agius4
fix(platform-server): harden platform location origin validation duri…
35f2784 
…ng SSR

Add allowOriginChange option to ResolveUrlOptions in resolveUrl to enforce same-origin validation on resolved URLs. When set to false, it prevents any cross-origin changes (including HTTP/HTTPS URLs), aligning the emulated server-side platform location environment with browser security behavior.

Refactor ServerPlatformLocation.replaceState to use allowOriginChange: false instead of manual comparison, hardening state change validation against cross-origin URLs.

Add unit tests in url_spec.ts and platform_location_spec.ts for the origin validation changes.
@angular-robot angular-robot Bot added the area: server Issues related to server-side rendering label Jun 5, 2026
@ngbot ngbot Bot added this to the Backlog milestone Jun 5, 2026
@alan-agius4 alan-agius4 force-pushed the platform-server-runtime-error-origin-fix branch from 3874990 to 35f2784 Compare June 5, 2026 10:18
@alan-agius4 alan-agius4 added action: review The PR is still awaiting reviews from at least one requested reviewer target: patch This PR is targeted for the next patch release target: minor This PR is targeted for the next minor release and removed target: patch This PR is targeted for the next patch release labels Jun 5, 2026
JeanMeche

This comment was marked as off-topic.

Sign in to view

JeanMeche
JeanMeche reviewed Jun 5, 2026
View reviewed changes
Comment thread packages/platform-server/src/errors.ts
This was referenced Jun 5, 2026
Merged
Merged
@pullapprove pullapprove Bot requested review from JeanMeche and crisbeto June 5, 2026 11:06
JeanMeche
JeanMeche approved these changes Jun 5, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@JeanMeche JeanMeche left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reviewed-for: public-api

@alan-agius4 alan-agius4 removed the request for review from crisbeto June 5, 2026 11:10
@alan-agius4 alan-agius4 added action: merge The PR is ready for merge by the caretaker and removed action: review The PR is still awaiting reviews from at least one requested reviewer labels Jun 5, 2026
@alan-agius4 alan-agius4 force-pushed the platform-server-runtime-error-origin-fix branch from 7f36122 to 39d0e1b Compare June 5, 2026 11:49
@atscott
Copy link
Copy Markdown
Contributor

atscott commented Jun 5, 2026

This PR was merged into the repository. The changes were merged into the following branches:

@atscott atscott closed this in abfb04a Jun 5, 2026
atscott pushed a commit that referenced this pull request Jun 5, 2026
@alan-agius4 @atscott
fix(platform-server): harden platform location origin validation duri…
cf9d7fa 
…ng SSR (#69184)

Add allowOriginChange option to ResolveUrlOptions in resolveUrl to enforce same-origin validation on resolved URLs. When set to false, it prevents any cross-origin changes (including HTTP/HTTPS URLs), aligning the emulated server-side platform location environment with browser security behavior.

Refactor ServerPlatformLocation.replaceState to use allowOriginChange: false instead of manual comparison, hardening state change validation against cross-origin URLs.

Add unit tests in url_spec.ts and platform_location_spec.ts for the origin validation changes.

PR Close #69184
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JeanMeche JeanMeche JeanMeche approved these changes

Assignees

No one assigned

Labels

action: merge The PR is ready for merge by the caretaker area: server Issues related to server-side rendering target: minor This PR is targeted for the next minor release

Projects

None yet

Milestone

Backlog

Development

Successfully merging this pull request may close these issues.

3 participants

@alan-agius4 @atscott @JeanMeche