-
Notifications
You must be signed in to change notification settings - Fork 26.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
verify action id before parsing body #58977
Conversation
Current dependencies on/for this PR:
This stack of pull requests is managed by Graphite. |
Failing test suitesCommit: f9f9bc6
Expand output● app dir › HMR › should not cause error when removing loading.js
Read more about building and testing Next.js in contributing.md. |
Stats from current PRDefault Build (Increase detected
|
vercel/next.js canary | vercel/next.js 11-27-verify_action_id_before_parsing_body | Change | |
---|---|---|---|
buildDuration | 10.6s | 10.5s | N/A |
buildDurationCached | 6s | 5.9s | N/A |
nodeModulesSize | 199 MB | 199 MB | |
nextStartRea..uration (ms) | 423ms | 428ms | N/A |
Client Bundles (main, webpack)
vercel/next.js canary | vercel/next.js 11-27-verify_action_id_before_parsing_body | Change | |
---|---|---|---|
199-HASH.js gzip | 30.7 kB | 30.7 kB | N/A |
3f784ff6-HASH.js gzip | 53.3 kB | 53.3 kB | ✓ |
494.HASH.js gzip | 180 B | 181 B | N/A |
framework-HASH.js gzip | 45.2 kB | 45.2 kB | ✓ |
main-app-HASH.js gzip | 241 B | 239 B | N/A |
main-HASH.js gzip | 31.7 kB | 31.7 kB | N/A |
webpack-HASH.js gzip | 1.7 kB | 1.7 kB | ✓ |
Overall change | 100 kB | 100 kB | ✓ |
Legacy Client Bundles (polyfills)
vercel/next.js canary | vercel/next.js 11-27-verify_action_id_before_parsing_body | Change | |
---|---|---|---|
polyfills-HASH.js gzip | 31 kB | 31 kB | ✓ |
Overall change | 31 kB | 31 kB | ✓ |
Client Pages
vercel/next.js canary | vercel/next.js 11-27-verify_action_id_before_parsing_body | Change | |
---|---|---|---|
_app-HASH.js gzip | 194 B | 195 B | N/A |
_error-HASH.js gzip | 182 B | 181 B | N/A |
amp-HASH.js gzip | 501 B | 503 B | N/A |
css-HASH.js gzip | 322 B | 323 B | N/A |
dynamic-HASH.js gzip | 2.5 kB | 2.5 kB | ✓ |
edge-ssr-HASH.js gzip | 253 B | 255 B | N/A |
head-HASH.js gzip | 348 B | 347 B | N/A |
hooks-HASH.js gzip | 369 B | 368 B | N/A |
image-HASH.js gzip | 4.27 kB | 4.27 kB | N/A |
index-HASH.js gzip | 256 B | 256 B | ✓ |
link-HASH.js gzip | 2.61 kB | 2.6 kB | N/A |
routerDirect..HASH.js gzip | 311 B | 311 B | ✓ |
script-HASH.js gzip | 384 B | 383 B | N/A |
withRouter-HASH.js gzip | 307 B | 308 B | N/A |
1afbb74e6ecf..834.css gzip | 106 B | 106 B | ✓ |
Overall change | 3.17 kB | 3.17 kB | ✓ |
Client Build Manifests
vercel/next.js canary | vercel/next.js 11-27-verify_action_id_before_parsing_body | Change | |
---|---|---|---|
_buildManifest.js gzip | 484 B | 483 B | N/A |
Overall change | 0 B | 0 B | ✓ |
Rendered Page Sizes
vercel/next.js canary | vercel/next.js 11-27-verify_action_id_before_parsing_body | Change | |
---|---|---|---|
index.html gzip | 528 B | 526 B | N/A |
link.html gzip | 539 B | 539 B | ✓ |
withRouter.html gzip | 524 B | 521 B | N/A |
Overall change | 539 B | 539 B | ✓ |
Edge SSR bundle Size Overall increase ⚠️
vercel/next.js canary | vercel/next.js 11-27-verify_action_id_before_parsing_body | Change | |
---|---|---|---|
edge-ssr.js gzip | 92.6 kB | 92.6 kB | N/A |
page.js gzip | 145 kB | 146 kB | |
Overall change | 145 kB | 146 kB |
Middleware size
vercel/next.js canary | vercel/next.js 11-27-verify_action_id_before_parsing_body | Change | |
---|---|---|---|
middleware-b..fest.js gzip | 625 B | 623 B | N/A |
middleware-r..fest.js gzip | 150 B | 151 B | N/A |
middleware.js gzip | 35.7 kB | 35.7 kB | N/A |
edge-runtime..pack.js gzip | 1.92 kB | 1.92 kB | ✓ |
Overall change | 1.92 kB | 1.92 kB | ✓ |
Next Runtimes
vercel/next.js canary | vercel/next.js 11-27-verify_action_id_before_parsing_body | Change | |
---|---|---|---|
app-page-exp...dev.js gzip | 168 kB | 168 kB | N/A |
app-page-exp..prod.js gzip | 93.6 kB | 93.7 kB | N/A |
app-page-tur..prod.js gzip | 94.4 kB | 94.5 kB | N/A |
app-page-tur..prod.js gzip | 88.9 kB | 89 kB | N/A |
app-page.run...dev.js gzip | 138 kB | 138 kB | N/A |
app-page.run..prod.js gzip | 88.3 kB | 88.4 kB | N/A |
app-route-ex...dev.js gzip | 24.2 kB | 24.2 kB | ✓ |
app-route-ex..prod.js gzip | 16.8 kB | 16.8 kB | ✓ |
app-route-tu..prod.js gzip | 16.9 kB | 16.9 kB | ✓ |
app-route-tu..prod.js gzip | 16.4 kB | 16.4 kB | ✓ |
app-route.ru...dev.js gzip | 23.6 kB | 23.6 kB | ✓ |
app-route.ru..prod.js gzip | 16.4 kB | 16.4 kB | ✓ |
pages-api-tu..prod.js gzip | 9.37 kB | 9.37 kB | ✓ |
pages-api.ru...dev.js gzip | 9.64 kB | 9.64 kB | ✓ |
pages-api.ru..prod.js gzip | 9.37 kB | 9.37 kB | ✓ |
pages-turbo...prod.js gzip | 21.9 kB | 21.9 kB | ✓ |
pages.runtim...dev.js gzip | 22.6 kB | 22.6 kB | ✓ |
pages.runtim..prod.js gzip | 21.9 kB | 21.9 kB | ✓ |
server.runti..prod.js gzip | 49.3 kB | 49.3 kB | ✓ |
Overall change | 258 kB | 258 kB | ✓ |
Diff details
Diff for page.js
Diff too large to display
Diff for app-page-exp..ntime.dev.js
failed to diff
Diff for app-page-exp..time.prod.js
Diff too large to display
Diff for app-page-tur..time.prod.js
Diff too large to display
Diff for app-page-tur..time.prod.js
Diff too large to display
Diff for app-page.runtime.dev.js
Diff too large to display
Diff for app-page.runtime.prod.js
Diff too large to display
3dc7e70
to
0a15a4c
Compare
47128a8
to
83b5398
Compare
00ce649
to
158fb83
Compare
d97b665
to
d2d21c3
Compare
1f711ea
to
7ef3827
Compare
7ef3827
to
1d2ab51
Compare
158fb83
to
cd6e616
Compare
cd6e616
to
b2112f9
Compare
What?
When handling a server action, in the non-progressive enhanced case, React will attempt to parse the request body before verifying if a valid server action is received. This results in an "Error: Connection Closed" error being thrown, rather than ignoring the action and failing more gracefully
Why?
To support progressive enhancement with form actions, the
actionId
value is added as a hidden input in the form, so the action ID from the header shouldn't be verified until determining that we've reached the non-PE case. (React ref). However, in #49187, support was added for a URL encoded form (which is not currently used, as indicated on the PR).Despite it not being used for server actions, it's currently possible to trigger this codepath, ie by calling redirect in an action handler with a 307/308 status code with some data in the URL. This would result in a 500 error.
How?
React should not attempt to parse the URL encoded form data until after we've verified the server action header for the non-PE case.
x-ref NEXT-1733
Slack context