[PR #95] [MERGED] fix: use Host header for server action origin check #304

New issue

Closed

opened 2026-05-06 12:39:04 +02:00 by BreizhHardware · 0 comments

BreizhHardware commented

2026-05-06 12:39:04 +02:00

Owner

📋 Pull Request Information

Original PR: https://github.com/cloudflare/vinext/pull/95
Author: @southpolesteve
Created: 2/26/2026
Status: ✅ Merged
Merged: 2/26/2026
Merged by: @southpolesteve

Base: main ← Head: fix/host-header-origin-check

📝 Commits (1)

6878aa1 fix: use Host header for server action origin check

📊 Changes

2 files changed (+36 additions, -1 deletions)

View changed files

📝 packages/vinext/src/server/app-dev-server.ts (+5 -1)
📝 tests/app-router.test.ts (+31 -0)

📄 Description

Summary

Changes the server action origin validation to prefer the Host header over X-Forwarded-Host, matching the trusted-host logic already used in the production server.

X-Forwarded-Host can be freely set by the client, so using it in the origin comparison allows the check to be bypassed by sending a matching Origin and X-Forwarded-Host pair. The Host header is set by the HTTP stack and is the correct value to compare against.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/cloudflare/vinext/pull/95 **Author:** [@southpolesteve](https://github.com/southpolesteve) **Created:** 2/26/2026 **Status:** ✅ Merged **Merged:** 2/26/2026 **Merged by:** [@southpolesteve](https://github.com/southpolesteve) **Base:** `main` ← **Head:** `fix/host-header-origin-check` --- ### 📝 Commits (1) - [`6878aa1`](https://github.com/cloudflare/vinext/commit/6878aa1dce3138ae58c5ed0b6c601b07d7e68772) fix: use Host header for server action origin check ### 📊 Changes **2 files changed** (+36 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `packages/vinext/src/server/app-dev-server.ts` (+5 -1) 📝 `tests/app-router.test.ts` (+31 -0) </details> ### 📄 Description ## Summary Changes the server action origin validation to prefer the Host header over X-Forwarded-Host, matching the trusted-host logic already used in the production server. X-Forwarded-Host can be freely set by the client, so using it in the origin comparison allows the check to be bypassed by sending a matching Origin and X-Forwarded-Host pair. The Host header is set by the HTTP stack and is the correct value to compare against. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>