fix: guard against invalid origin header value (#5288)

schiller-manuel · web-flow · commit de70ba95e69c · 2025-09-29T01:49:53.000+02:00
diff --git a/packages/start-server-core/src/createStartHandler.ts b/packages/start-server-core/src/createStartHandler.ts
@@ -97,7 +97,10 @@ export function createStartHandler<TRegister = Register>(
     function getOrigin() {
       const originHeader = request.headers.get('Origin')
       if (originHeader) {
-        return originHeader
+        try {
+          new URL(originHeader)
+          return originHeader
+        } catch {}
       }
       try {
         return new URL(request.url).origin
