fix(platform-server): backport url validation origin hardening to v20#69188
Merged
Conversation
Update platform-server to use Angular 's native `RuntimeError` class. This aligns error throwing patterns in platform-server with other packages of the framework such as core, common, and platform-browser. For URL and host errors, the error messages are configured to return only the raw dynamic URL when `ngDevMode` is false (in production) to aid in troubleshooting without bloating production bundles.
JeanMeche
approved these changes
Jun 5, 2026
Contributor
Author
|
Disabling pullapprove as this is a backport. |
26b7ed5 to
2f7da54
Compare
2f7da54 to
a18c255
Compare
…ng SSR Align ServerPlatformLocation state modification behavior (replaceState and pushState) with the browser's HTML5 History API by enforcing same-origin validation. In a browser environment, calling replaceState/pushState with a cross-origin URL throws a SecurityError. Previously, the emulated ServerPlatformLocation in platform-server silently allowed cross-origin state changes. If application code passed untrusted input to replaceState/pushState during SSR, this could cause the base URL to be changed, resulting in potential SSRF and credential leaks for relative HTTP requests. To mitigate this: 1. Add an `allowOriginChange` option to `ParseUrlOptions`. If false, `parseUrl` validates that the resolved URL's origin matches the base URL's origin. 2. Update `ServerPlatformLocation.replaceState` to call `parseUrl` with `allowOriginChange: false`.
a18c255 to
675eab0
Compare
Contributor
|
This PR was merged into the repository. The changes were merged into the following branches:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backports the fix and test hardening for platform location origin validation to v20.