starred/vinext
1
0
Fork 0
mirror of https://github.com/cloudflare/vinext.git synced 2026-05-09 08:25:34 +02:00
Code Issues 101 Projects Packages Wiki Activity

[PR #337] [MERGED] Support allowedDevOrigins separately from serverActions.allowedOrigins #489

New issue
Closed
opened 2026-05-06 13:08:21 +02:00 by BreizhHardware · 0 comments
BreizhHardware commented 2026-05-06 13:08:21 +02:00
Owner
Copy link

📋 Pull Request Information

Original PR: https://github.com/cloudflare/vinext/pull/337
Author: @JaredStowell
Created: 3/8/2026
Status: Merged
Merged: 3/8/2026
Merged by: @james-elicx

Base: mainHead: jstowell/fix-allowedDevOrigins

📝 Commits (2)

  • 632cdcf Fix and fully implement allowedDevOrigins
  • f3a5fbb Merge branch 'main' into jstowell/fix-allowedDevOrigins

📊 Changes

8 files changed (+189 additions, -6 deletions)

View changed files

📝 packages/vinext/src/check.ts (+2 -1)
📝 packages/vinext/src/config/next-config.ts (+10 -0)
📝 packages/vinext/src/index.ts (+3 -3)
📝 packages/vinext/src/server/app-dev-server.ts (+1 -1)
📝 tests/app-router.test.ts (+65 -1)
📝 tests/check.test.ts (+12 -0)
📝 tests/pages-router.test.ts (+54 -0)
📝 tests/shims.test.ts (+42 -0)

📄 Description

Summary

Parse and wire allowedDevOrigins as its own config surface instead of reusing experimental.serverActions.allowedOrigins.

This fixes the dev-origin enforcement so the dev server allowlist does not widen or narrow trust boundaries based on server action CSRF config.

Changes

  • add allowedDevOrigins to NextConfig and ResolvedNextConfig
  • parse top-level allowedDevOrigins in resolveNextConfig()
  • use allowedDevOrigins for Pages Router dev-origin checks
  • pass allowedDevOrigins into the App Router virtual RSC entry
  • keep App Router server action CSRF checks wired to experimental.serverActions.allowedOrigins
  • update vinext check to report allowedDevOrigins as supported

Tests

  • add parser tests for allowedDevOrigins defaults and separation from serverActions.allowedOrigins
  • add Pages Router dev-server integration coverage test/development/basic/allowed-dev-origins.test.ts
  • add App Router codegen/plugin wiring tests to verify allowedDevOrigins and allowedOrigins remain distinct
  • add vinext check coverage for allowedDevOrigins

Verification

  • pnpm test tests/check.test.ts -t "allowedDevOrigins|experimental.serverActions|next.config"
  • pnpm test tests/shims.test.ts -t "allowedDevOrigins|serverActionsAllowedOrigins"
  • pnpm test tests/app-router.test.ts -t "loads allowedDevOrigins from next.config into the virtual RSC entry|keeps allowedDevOrigins separate from allowedOrigins|embeds allowedDevOrigins"
  • pnpm test tests/pages-router.test.ts -t "Pages Router allowedDevOrigins config"
  • pnpm test tests/dev-origin-check.test.ts

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/cloudflare/vinext/pull/337 **Author:** [@JaredStowell](https://github.com/JaredStowell) **Created:** 3/8/2026 **Status:** ✅ Merged **Merged:** 3/8/2026 **Merged by:** [@james-elicx](https://github.com/james-elicx) **Base:** `main` ← **Head:** `jstowell/fix-allowedDevOrigins` --- ### 📝 Commits (2) - [`632cdcf`](https://github.com/cloudflare/vinext/commit/632cdcf8f0a4b8b08ced618313bff2a0f593c9cb) Fix and fully implement allowedDevOrigins - [`f3a5fbb`](https://github.com/cloudflare/vinext/commit/f3a5fbb4b5bd1265d45b19e627dfaf03a2bc37a8) Merge branch 'main' into jstowell/fix-allowedDevOrigins ### 📊 Changes **8 files changed** (+189 additions, -6 deletions) <details> <summary>View changed files</summary> 📝 `packages/vinext/src/check.ts` (+2 -1) 📝 `packages/vinext/src/config/next-config.ts` (+10 -0) 📝 `packages/vinext/src/index.ts` (+3 -3) 📝 `packages/vinext/src/server/app-dev-server.ts` (+1 -1) 📝 `tests/app-router.test.ts` (+65 -1) 📝 `tests/check.test.ts` (+12 -0) 📝 `tests/pages-router.test.ts` (+54 -0) 📝 `tests/shims.test.ts` (+42 -0) </details> ### 📄 Description ## Summary Parse and wire `allowedDevOrigins` as its own config surface instead of reusing `experimental.serverActions.allowedOrigins`. This fixes the dev-origin enforcement so the dev server allowlist does not widen or narrow trust boundaries based on server action CSRF config. ## Changes - add `allowedDevOrigins` to `NextConfig` and `ResolvedNextConfig` - parse top-level `allowedDevOrigins` in `resolveNextConfig()` - use `allowedDevOrigins` for Pages Router dev-origin checks - pass `allowedDevOrigins` into the App Router virtual RSC entry - keep App Router server action CSRF checks wired to `experimental.serverActions.allowedOrigins` - update `vinext check` to report `allowedDevOrigins` as supported ## Tests - add parser tests for `allowedDevOrigins` defaults and separation from `serverActions.allowedOrigins` - add Pages Router dev-server integration coverage `test/development/basic/allowed-dev-origins.test.ts` - add App Router codegen/plugin wiring tests to verify `allowedDevOrigins` and `allowedOrigins` remain distinct - add `vinext check` coverage for `allowedDevOrigins` ## Verification - `pnpm test tests/check.test.ts -t "allowedDevOrigins|experimental.serverActions|next.config"` - `pnpm test tests/shims.test.ts -t "allowedDevOrigins|serverActionsAllowedOrigins"` - `pnpm test tests/app-router.test.ts -t "loads allowedDevOrigins from next.config into the virtual RSC entry|keeps allowedDevOrigins separate from allowedOrigins|embeds allowedDevOrigins"` - `pnpm test tests/pages-router.test.ts -t "Pages Router allowedDevOrigins config"` - `pnpm test tests/dev-origin-check.test.ts` --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
BreizhHardware 2026-05-06 13:08:21 +02:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
alt/prerender-rsc-sidechannel
codex/pages-router-suite-main
claude/dev-socket-emit-patch
james/wip-agent-test
codex/fix-wrangler-suspense-streaming
hrushikesh/add-semgrep-oss-workflow
fix/preload-link-header-uses-served-url
fix/isr-always-mark-dynamic-with-searchparams
fix/strip-set-cookie-from-app-route-isr-cache-clean
fix/app-pages-fallback-sees-middleware-overrides-v2
opencode/misty-river
opencode/calm-meadow
codex/pages-router-cjs-node-modules
codex/refresh-ai-docs-vp-vite8
fix/suspense-flash-navigation-639
fix/issue-589
fix/route-handler-dynamic-detection-v3
fix/route-handler-dynamic-detection-v2
fix/route-handler-dynamic-detection
opencode/quiet-nebula
fix/include-query-in-route-handler-isr-key
fix/block-dangerous-uri-schemes
fix/use-post-middleware-context-for-headers
opencode/playful-mountain
opencode/quiet-sailor
feat/payload-cms-fixture
feat/static-prerender-build
opencode/cosmic-knight
fix/isr-stream-tee-no-double-render
codex/wrangler-auth-ux
docs/update-contributing
improve/vitest-workspace-split
feat/auto-pr-review
docs/skills-field-learnings
feat/nuqs-e2e-clean
feat/next-font-implementation
fix/rsc-navigation-credentials
chonky-list
fix/cli-version
ci/commit-version-bump
ci/publish-chat-notification
opencode/mighty-mountain
fix/rsc-optimizedeps-react-server
v0.0.49
v0.0.48
v0.0.47
v0.0.46
v0.0.45
v0.0.44
v0.0.43
v0.0.42
v0.0.41
v0.0.40
v0.0.39
v0.0.38
v0.0.37
v0.0.36
v0.0.35
v0.0.34
v0.0.33
v0.0.32
v0.0.31
v0.0.30
v0.0.29
v0.0.28
v0.0.27
v0.0.26
v0.0.25
v0.0.24
v0.0.23
v0.0.22
v0.0.21
v0.0.20
v0.0.19
v0.0.18
v0.0.17
v0.0.16
v0.0.15
v0.0.14
v0.0.13
v0.0.12
v0.0.11
v0.0.10
v0.0.9
v0.0.8
v0.0.7
v0.0.6
Labels
Clear labels   
enhancement

   
enhancement

   
good first issue

   
help wanted

   
nextjs-tracking

   
nextjs-tracking

   
pull-request
Mirrored from GitHub Pull Request

No labels
enhancement
enhancement
good first issue
help wanted
nextjs-tracking
nextjs-tracking
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/vinext#489
No description provided.