Skip to content

fix(platform-server): harden platform location origin validation during SSR [v21 backport]#69186

Merged
atscott merged 2 commits into
angular:21.2.xfrom
alan-agius4:backport-69184-v21
Jun 5, 2026
Merged

fix(platform-server): harden platform location origin validation during SSR [v21 backport]#69186
atscott merged 2 commits into
angular:21.2.xfrom
alan-agius4:backport-69184-v21

Conversation

@alan-agius4
Copy link
Copy Markdown
Contributor

@alan-agius4 alan-agius4 commented Jun 5, 2026

Description

Backport of #69184 to 21.2.x.

Align ServerPlatformLocation state modification behavior (replaceState and pushState) with the browser's HTML5 History API by enforcing same-origin validation.

To mitigate this:

  1. Add an allowOriginChange option to ResolveUrlOptions. If false, resolveUrl validates that the resolved URL's origin matches the base URL's origin.
  2. Update ServerPlatformLocation.replaceState to call resolveUrl with allowOriginChange: false.
  3. Replace standard Error instances in platform-server with framework-native RuntimeError instances (codes 5700-5706) for standard errors.

@alan-agius4
refactor(platform-server): replace standard Error with RuntimeError
db504c4 
Update platform-server to use Angular 's native `RuntimeError` class.
This aligns error throwing patterns in platform-server with other packages of the framework such as core, common, and platform-browser.

For URL and host errors, the error messages are configured to return only the raw dynamic URL when `ngDevMode` is false (in production) to aid in troubleshooting without bloating production bundles.
@pullapprove pullapprove Bot requested a review from crisbeto June 5, 2026 10:53
@angular-robot angular-robot Bot added the area: server Issues related to server-side rendering label Jun 5, 2026
@ngbot ngbot Bot added this to the Backlog milestone Jun 5, 2026
@alan-agius4 alan-agius4 requested review from JeanMeche and removed request for crisbeto June 5, 2026 10:57
@alan-agius4 alan-agius4 added action: review The PR is still awaiting reviews from at least one requested reviewer target: lts This PR is targeting a version currently in long-term support labels Jun 5, 2026
@pullapprove pullapprove Bot requested review from JeanMeche and crisbeto June 5, 2026 11:06
JeanMeche
JeanMeche approved these changes Jun 5, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@JeanMeche JeanMeche left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reviewed-for: public-api

@alan-agius4 alan-agius4 added action: merge The PR is ready for merge by the caretaker and removed action: review The PR is still awaiting reviews from at least one requested reviewer labels Jun 5, 2026
@alan-agius4
fix(platform-server): harden platform location origin validation duri…
bf81ec8 
…ng SSR

Add allowOriginChange option to ResolveUrlOptions in resolveUrl to enforce same-origin validation on resolved URLs. When set to false, it prevents any cross-origin changes (including HTTP/HTTPS URLs), aligning the emulated server-side platform location environment with browser security behavior.

Refactor ServerPlatformLocation.replaceState to use allowOriginChange: false instead of manual comparison, hardening state change validation against cross-origin URLs.

Add unit tests in url_spec.ts and platform_location_spec.ts for the origin validation changes.
@alan-agius4 alan-agius4 force-pushed the backport-69184-v21 branch from b1e0672 to bf81ec8 Compare June 5, 2026 11:45
@atscott atscott merged commit 3551074 into angular:21.2.x Jun 5, 2026
17 of 18 checks passed
@atscott
Copy link
Copy Markdown
Contributor

atscott commented Jun 5, 2026

This PR was merged into the repository. The changes were merged into the following branches:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JeanMeche JeanMeche JeanMeche approved these changes

@crisbeto crisbeto Awaiting requested review from crisbeto

Assignees

No one assigned

Labels

action: merge The PR is ready for merge by the caretaker area: server Issues related to server-side rendering target: lts This PR is targeting a version currently in long-term support

Projects

None yet

Milestone

Backlog

Development

Successfully merging this pull request may close these issues.

3 participants

@alan-agius4 @atscott @JeanMeche