Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Flight Reply] Don't allow Symbols to be passed to a reply #28610

Merged
merged 1 commit into from
Mar 21, 2024
Merged

[Flight Reply] Don't allow Symbols to be passed to a reply #28610

merged 1 commit into from
Mar 21, 2024

Conversation

sebmarkbage
Copy link
Collaborator

@sebmarkbage sebmarkbage commented Mar 21, 2024
edited
Loading

As mentioned in #28609 there's a potential security risk if you allow a passed value to the server to spoof Elements because it allows a hacker to POST cross origin. This is only an issue if your framework allows this which it shouldn't but it seems like we should provide an extra layer of security here.

function action(errors, payload) {
  try {
    ...
  } catch (x) {
    return [newError].concat(errors);
  }
}
const [errors, formAction] = useActionState(action);
return <div>{errors}</div>;

This would allow you to construct a payload where the previous "errors" set includes something like <script src="danger.js" />.

We could block only elements from being received but it could potentially be a risk with creating other React types like Context too. We use symbols as a way to securely brand these.

Most JS don't use this kind of branding with symbols like we do. They're generally properties which we don't support anyway. However in theory someone else could be using them like we do. So in an abundance of carefulness I just ban all symbols from being passed (except by temporary reference) - not just ours.

This means that the format isn't fully symmetric even beyond just React Nodes.

#28611 allows code that includes symbols/elements to continue working but may have to bail out to replaying instead of no JS sometimes. However, you still can't access the symbols inside the server - they're by reference only.

@facebook-github-bot facebook-github-bot added CLA Signed React Core Team Opened by a member of the React Core Team labels Mar 21, 2024
@sebmarkbage sebmarkbage mentioned this pull request Mar 21, 2024
Closed
@react-sizebot
Copy link

Comparing: a493901...bd8f964

Critical size changes

Includes critical production bundles, as well as any change greater than 2%:

Name +/- Base Current +/- gzip Base gzip Current gzip
oss-stable/react-dom/cjs/react-dom.production.min.js = 176.84 kB 176.84 kB = 54.92 kB 54.91 kB
oss-experimental/react-dom/cjs/react-dom.production.min.js = 173.27 kB 173.27 kB = 54.04 kB 54.04 kB
facebook-www/ReactDOM-prod.classic.js = 594.30 kB 594.30 kB = 104.45 kB 104.45 kB
facebook-www/ReactDOM-prod.modern.js = 577.56 kB 577.56 kB = 101.48 kB 101.48 kB
test_utils/ReactAllWarnings.js Deleted 66.48 kB 0.00 kB Deleted 16.26 kB 0.00 kB

Significant size changes

Includes any change greater than 0.2%:

Expand to show
Name +/- Base Current +/- gzip Base gzip Current gzip
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-client.edge.development.js = 78.80 kB 78.60 kB = 19.02 kB 18.93 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.edge.development.js = 78.77 kB 78.58 kB = 18.98 kB 18.89 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-client.node.development.js = 77.73 kB 77.53 kB = 18.81 kB 18.72 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.node.development.js = 77.70 kB 77.51 kB = 18.76 kB 18.68 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-client.node.unbundled.development.js = 76.30 kB 76.11 kB = 18.43 kB 18.34 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.node.unbundled.development.js = 76.26 kB 76.07 kB = 18.41 kB 18.31 kB
oss-experimental/react-server-dom-esm/cjs/react-server-dom-esm-client.node.development.js = 74.48 kB 74.29 kB = 17.83 kB 17.73 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-client.edge.development.js = 73.71 kB 73.52 kB = 18.02 kB 17.92 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-client.edge.development.js = 73.71 kB 73.52 kB = 18.02 kB 17.92 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.edge.development.js = 73.68 kB 73.49 kB = 17.97 kB 17.88 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.edge.development.js = 73.68 kB 73.49 kB = 17.97 kB 17.88 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-client.node.development.js = 72.64 kB 72.45 kB = 17.80 kB 17.71 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-client.node.development.js = 72.64 kB 72.45 kB = 17.80 kB 17.71 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.node.development.js = 72.61 kB 72.42 kB = 17.76 kB 17.67 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.node.development.js = 72.61 kB 72.42 kB = 17.76 kB 17.67 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-client.node.unbundled.development.js = 71.21 kB 71.02 kB = 17.42 kB 17.33 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-client.node.unbundled.development.js = 71.21 kB 71.02 kB = 17.42 kB 17.33 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.node.unbundled.development.js = 71.18 kB 70.99 kB = 17.40 kB 17.30 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.node.unbundled.development.js = 71.18 kB 70.99 kB = 17.40 kB 17.30 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-client.edge.production.min.js = 16.66 kB 16.62 kB = 5.95 kB 5.89 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.edge.production.min.js = 16.65 kB 16.61 kB = 5.94 kB 5.88 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-client.browser.development.js = 70.54 kB 70.35 kB = 16.96 kB 16.86 kB
oss-experimental/react-server-dom-webpack/umd/react-server-dom-webpack-client.browser.development.js = 74.86 kB 74.66 kB = 17.23 kB 17.13 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.browser.development.js = 70.03 kB 69.84 kB = 16.79 kB 16.69 kB
oss-experimental/react-server-dom-turbopack/umd/react-server-dom-turbopack-client.browser.development.js = 74.32 kB 74.12 kB = 17.05 kB 16.95 kB
oss-stable-semver/react-server-dom-esm/cjs/react-server-dom-esm-client.node.development.js = 69.40 kB 69.20 kB = 16.82 kB 16.73 kB
oss-stable/react-server-dom-esm/cjs/react-server-dom-esm-client.node.development.js = 69.40 kB 69.20 kB = 16.82 kB 16.73 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-client.node.production.min.js = 16.22 kB 16.17 kB = 5.83 kB 5.77 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.node.production.min.js = 16.21 kB 16.17 kB = 5.82 kB 5.75 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.node.unbundled.production.min.js = 15.90 kB 15.86 kB = 5.71 kB 5.65 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-client.node.unbundled.production.min.js = 15.90 kB 15.85 kB = 5.71 kB 5.65 kB
oss-experimental/react-client/cjs/react-client-flight.development.js = 66.86 kB 66.67 kB = 16.06 kB 15.97 kB
oss-experimental/react-server-dom-esm/cjs/react-server-dom-esm-client.browser.development.js = 66.78 kB 66.59 kB = 15.82 kB 15.73 kB
oss-experimental/react-server-dom-esm/esm/react-server-dom-esm-client.browser.development.js = 66.54 kB 66.35 kB = 15.76 kB 15.66 kB
oss-experimental/react-server-dom-esm/cjs/react-server-dom-esm-client.node.production.min.js = 15.50 kB 15.46 kB = 5.53 kB 5.47 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-client.browser.development.js = 65.45 kB 65.26 kB = 15.96 kB 15.86 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-client.browser.development.js = 65.45 kB 65.26 kB = 15.96 kB 15.86 kB
oss-stable-semver/react-server-dom-webpack/umd/react-server-dom-webpack-client.browser.development.js = 69.46 kB 69.25 kB = 16.21 kB 16.11 kB
oss-stable/react-server-dom-webpack/umd/react-server-dom-webpack-client.browser.development.js = 69.46 kB 69.25 kB = 16.21 kB 16.11 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-client.edge.production.min.js = 15.35 kB 15.30 kB = 5.60 kB 5.53 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-client.edge.production.min.js = 15.35 kB 15.30 kB = 5.60 kB 5.53 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.edge.production.min.js = 15.34 kB 15.29 kB = 5.59 kB 5.52 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.edge.production.min.js = 15.34 kB 15.29 kB = 5.59 kB 5.52 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.browser.development.js = 64.94 kB 64.75 kB = 15.78 kB 15.69 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.browser.development.js = 64.94 kB 64.75 kB = 15.78 kB 15.69 kB
oss-stable-semver/react-server-dom-turbopack/umd/react-server-dom-turbopack-client.browser.development.js = 68.91 kB 68.71 kB = 16.02 kB 15.93 kB
oss-stable/react-server-dom-turbopack/umd/react-server-dom-turbopack-client.browser.development.js = 68.91 kB 68.71 kB = 16.02 kB 15.93 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-client.node.production.min.js = 14.89 kB 14.85 kB = 5.48 kB 5.41 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-client.node.production.min.js = 14.89 kB 14.85 kB = 5.48 kB 5.41 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.node.production.min.js = 14.89 kB 14.84 kB = 5.46 kB 5.40 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.node.production.min.js = 14.89 kB 14.84 kB = 5.46 kB 5.40 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.node.unbundled.production.min.js = 14.58 kB 14.53 kB = 5.35 kB 5.28 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.node.unbundled.production.min.js = 14.58 kB 14.53 kB = 5.35 kB 5.28 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-client.node.unbundled.production.min.js = 14.57 kB 14.53 kB = 5.35 kB 5.28 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-client.node.unbundled.production.min.js = 14.57 kB 14.53 kB = 5.35 kB 5.28 kB
oss-stable-semver/react-client/cjs/react-client-flight.development.js = 61.77 kB 61.58 kB = 15.06 kB 14.97 kB
oss-stable/react-client/cjs/react-client-flight.development.js = 61.77 kB 61.58 kB = 15.06 kB 14.97 kB
oss-stable-semver/react-server-dom-esm/cjs/react-server-dom-esm-client.browser.development.js = 61.69 kB 61.50 kB = 14.82 kB 14.72 kB
oss-stable/react-server-dom-esm/cjs/react-server-dom-esm-client.browser.development.js = 61.69 kB 61.50 kB = 14.82 kB 14.72 kB
oss-stable-semver/react-server-dom-esm/esm/react-server-dom-esm-client.browser.development.js = 61.45 kB 61.26 kB = 14.75 kB 14.65 kB
oss-stable/react-server-dom-esm/esm/react-server-dom-esm-client.browser.development.js = 61.45 kB 61.26 kB = 14.75 kB 14.65 kB
oss-experimental/react-server-dom-webpack/umd/react-server-dom-webpack-client.browser.production.min.js = 14.36 kB 14.31 kB = 5.23 kB 5.17 kB
oss-experimental/react-server-dom-turbopack/umd/react-server-dom-turbopack-client.browser.production.min.js = 14.24 kB 14.19 kB = 5.19 kB 5.14 kB
oss-stable-semver/react-server-dom-esm/cjs/react-server-dom-esm-client.node.production.min.js = 14.18 kB 14.13 kB = 5.17 kB 5.11 kB
oss-stable/react-server-dom-esm/cjs/react-server-dom-esm-client.node.production.min.js = 14.18 kB 14.13 kB = 5.17 kB 5.11 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-client.browser.production.min.js = 14.17 kB 14.13 kB = 5.15 kB 5.08 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.browser.production.min.js = 14.05 kB 14.01 kB = 5.11 kB 5.04 kB
oss-experimental/react-server-dom-esm/cjs/react-server-dom-esm-client.browser.production.min.js = 13.38 kB 13.33 kB = 4.84 kB 4.77 kB
oss-stable-semver/react-server-dom-webpack/umd/react-server-dom-webpack-client.browser.production.min.js = 13.05 kB 13.00 kB = 4.87 kB 4.81 kB
oss-stable/react-server-dom-webpack/umd/react-server-dom-webpack-client.browser.production.min.js = 13.05 kB 13.00 kB = 4.87 kB 4.81 kB
oss-stable-semver/react-server-dom-turbopack/umd/react-server-dom-turbopack-client.browser.production.min.js = 12.92 kB 12.88 kB = 4.84 kB 4.78 kB
oss-stable/react-server-dom-turbopack/umd/react-server-dom-turbopack-client.browser.production.min.js = 12.92 kB 12.88 kB = 4.84 kB 4.78 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-client.browser.production.min.js = 12.86 kB 12.82 kB = 4.79 kB 4.73 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-client.browser.production.min.js = 12.86 kB 12.82 kB = 4.79 kB 4.73 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.browser.production.min.js = 12.74 kB 12.69 kB = 4.75 kB 4.69 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.browser.production.min.js = 12.74 kB 12.69 kB = 4.75 kB 4.69 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-client.edge.production.js = 61.78 kB 61.55 kB = 14.71 kB 14.60 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.edge.production.js = 61.76 kB 61.52 kB = 14.66 kB 14.56 kB
oss-stable-semver/react-server-dom-esm/cjs/react-server-dom-esm-client.browser.production.min.js = 12.07 kB 12.02 kB = 4.48 kB 4.41 kB
oss-stable/react-server-dom-esm/cjs/react-server-dom-esm-client.browser.production.min.js = 12.07 kB 12.02 kB = 4.48 kB 4.41 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-client.node.production.js = 60.67 kB 60.44 kB = 14.50 kB 14.39 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.node.production.js = 60.65 kB 60.41 kB = 14.45 kB 14.35 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-client.node.unbundled.production.js = 59.24 kB 59.01 kB = 14.11 kB 14.00 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.node.unbundled.production.js = 59.21 kB 58.98 kB = 14.09 kB 13.98 kB
oss-experimental/react-server-dom-esm/cjs/react-server-dom-esm-client.node.production.js = 57.42 kB 57.19 kB = 13.53 kB 13.43 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-client.edge.production.js = 56.69 kB 56.46 kB = 13.71 kB 13.61 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-client.edge.production.js = 56.69 kB 56.46 kB = 13.71 kB 13.61 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.edge.production.js = 56.67 kB 56.43 kB = 13.66 kB 13.56 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.edge.production.js = 56.67 kB 56.43 kB = 13.66 kB 13.56 kB
oss-experimental/react-client/cjs/react-client-flight.production.js = 50.30 kB 50.10 kB = 12.05 kB 12.00 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-client.node.production.js = 55.58 kB 55.35 kB = 13.49 kB 13.39 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-client.node.production.js = 55.58 kB 55.35 kB = 13.49 kB 13.39 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.node.production.js = 55.56 kB 55.32 kB = 13.45 kB 13.35 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.node.production.js = 55.56 kB 55.32 kB = 13.45 kB 13.35 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-client.node.unbundled.production.js = 54.15 kB 53.92 kB = 13.10 kB 13.00 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-client.node.unbundled.production.js = 54.15 kB 53.92 kB = 13.10 kB 13.00 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.node.unbundled.production.js = 54.12 kB 53.89 kB = 13.08 kB 12.97 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.node.unbundled.production.js = 54.12 kB 53.89 kB = 13.08 kB 12.97 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-client.browser.production.js = 54.12 kB 53.88 kB = 12.83 kB 12.72 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.browser.production.js = 53.60 kB 53.36 kB = 12.67 kB 12.56 kB
oss-stable-semver/react-server-dom-esm/cjs/react-server-dom-esm-client.node.production.js = 52.33 kB 52.10 kB = 12.52 kB 12.42 kB
oss-stable/react-server-dom-esm/cjs/react-server-dom-esm-client.node.production.js = 52.33 kB 52.10 kB = 12.52 kB 12.42 kB
oss-stable-semver/react-client/cjs/react-client-flight.production.js = 45.31 kB 45.10 kB = 11.07 kB 11.01 kB
oss-stable/react-client/cjs/react-client-flight.production.js = 45.31 kB 45.10 kB = 11.07 kB 11.01 kB
oss-experimental/react-server-dom-esm/cjs/react-server-dom-esm-client.browser.production.js = 50.34 kB 50.11 kB = 11.74 kB 11.62 kB
oss-experimental/react-server-dom-esm/esm/react-server-dom-esm-client.browser.production.min.js = 50.19 kB 49.95 kB = 11.71 kB 11.59 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-client.browser.production.js = 49.03 kB 48.79 kB = 11.84 kB 11.73 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-client.browser.production.js = 49.03 kB 48.79 kB = 11.84 kB 11.73 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.browser.production.js = 48.51 kB 48.27 kB = 11.67 kB 11.57 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.browser.production.js = 48.51 kB 48.27 kB = 11.67 kB 11.57 kB
oss-stable-semver/react-server-dom-esm/cjs/react-server-dom-esm-client.browser.production.js = 45.25 kB 45.02 kB = 10.74 kB 10.63 kB
oss-stable/react-server-dom-esm/cjs/react-server-dom-esm-client.browser.production.js = 45.25 kB 45.02 kB = 10.74 kB 10.63 kB
oss-stable-semver/react-server-dom-esm/esm/react-server-dom-esm-client.browser.production.min.js = 45.10 kB 44.86 kB = 10.71 kB 10.60 kB
oss-stable/react-server-dom-esm/esm/react-server-dom-esm-client.browser.production.min.js = 45.10 kB 44.86 kB = 10.71 kB 10.60 kB
test_utils/ReactAllWarnings.js Deleted 66.48 kB 0.00 kB Deleted 16.26 kB 0.00 kB

Generated by 🚫 dangerJS against bd8f964

@sebmarkbage sebmarkbage mentioned this pull request Mar 21, 2024
Merged
@sebmarkbage sebmarkbage merged commit 72e02a8 into facebook:main Mar 21, 2024
38 checks passed
sebmarkbage
sebmarkbage commented Mar 21, 2024
View reviewed changes
packages/react-server/src/ReactFlightReplyServer.js
case 'S': {
// Symbol
return Symbol.for(value.slice(2));
}
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the functional change since it doesn't matter what the client does if you can still fake a payload that includes this.

sebmarkbage added a commit that referenced this pull request Mar 21, 2024
@sebmarkbage
[Fizz] Recover from errors thrown by progressive enhancement form gen…
fee786a 
…eration (#28611)

This a follow up to #28564. It's alternative to #28609 which takes
#28610 into account.

It used to be possible to return JSX from an action with
`useActionState`.

```js
async function action(errors, payload) {
  "use server";
  try {
    ...
  } catch (x) {
    return <div>Error message</div>;
  }
}
```

```js
const [errors, formAction] = useActionState(action);
return <div>{errors}</div>;
```

Returning JSX from an action is itself not anything problematic. It's
that it also has to return the previous state to the action reducer
again that's the problem. When this happens we accidentally could
serialize an Element back to the server.

I fixed this in #28564 so it's now blocked if you don't have a temporary
reference set.

However, you can't have that for the progressive enhancement case. The
reply is eagerly encoded as part of the SSR render. Typically you
wouldn't have these in the initial state so the common case is that they
show up after the first POST back that yields an error and it's only in
the no-JS case where this happens so it's hard to discover.

As noted in #28609 there's a security implication with allowing elements
to be sent across this kind of payload, so we can't just make it work.

When an error happens during SSR our general policy is to try to recover
on the client instead. After all, SSR is mainly a perf optimization in
React terms and it's not primarily intended for a no JS solution.

This PR takes the approach that if we fail to generate the progressive
enhancement payload. I.e. if the serialization of previous state /
closures throw. Then we fallback to the replaying semantics just client
actions instead which will succeed.

The effect of this is that this pattern mostly just works:

- First render in the typical case doesn't have any JSX in it so it just
renders a progressive enhanced form.
- If JS fails to hydrate or you click early we do a form POST. If that
hits an error and it tries to render it using JSX, then the new page
will render successfully - however this time with a Replaying form
instead.
- If you try to submit the form again it'll have to be using JS.

Meaning if you use JSX as the error return value of form state and you
make a first attempt that fails, then no JS won't work because either
the first or second attempt has to hydrate.

We have ideas for potentially optimizing away serializing unused
arguments like if you don't actually use previous state which would also
solve it but it wouldn't cover all cases such as if it was deeply nested
in complex state.

Another approach that I considered was to poison the prev state if you
passed an element back but let it through to the action but if you try
to render the poisoned value, it wouldn't work. The downside of this is
when to error. Because in the progressive enhancement case it wouldn't
error early but when you actually try to invoke it at which point it
would be too late to fallback to client replaying. It would probably
have to always error even on the client which is unfortunate since this
mostly just works as long as it hydrates.
github-actions bot pushed a commit that referenced this pull request Mar 21, 2024
@sebmarkbage
[Fizz] Recover from errors thrown by progressive enhancement form gen…
361d5a6 
…eration (#28611)

This a follow up to #28564. It's alternative to #28609 which takes
#28610 into account.

It used to be possible to return JSX from an action with
`useActionState`.

```js
async function action(errors, payload) {
  "use server";
  try {
    ...
  } catch (x) {
    return <div>Error message</div>;
  }
}
```

```js
const [errors, formAction] = useActionState(action);
return <div>{errors}</div>;
```

Returning JSX from an action is itself not anything problematic. It's
that it also has to return the previous state to the action reducer
again that's the problem. When this happens we accidentally could
serialize an Element back to the server.

I fixed this in #28564 so it's now blocked if you don't have a temporary
reference set.

However, you can't have that for the progressive enhancement case. The
reply is eagerly encoded as part of the SSR render. Typically you
wouldn't have these in the initial state so the common case is that they
show up after the first POST back that yields an error and it's only in
the no-JS case where this happens so it's hard to discover.

As noted in #28609 there's a security implication with allowing elements
to be sent across this kind of payload, so we can't just make it work.

When an error happens during SSR our general policy is to try to recover
on the client instead. After all, SSR is mainly a perf optimization in
React terms and it's not primarily intended for a no JS solution.

This PR takes the approach that if we fail to generate the progressive
enhancement payload. I.e. if the serialization of previous state /
closures throw. Then we fallback to the replaying semantics just client
actions instead which will succeed.

The effect of this is that this pattern mostly just works:

- First render in the typical case doesn't have any JSX in it so it just
renders a progressive enhanced form.
- If JS fails to hydrate or you click early we do a form POST. If that
hits an error and it tries to render it using JSX, then the new page
will render successfully - however this time with a Replaying form
instead.
- If you try to submit the form again it'll have to be using JS.

Meaning if you use JSX as the error return value of form state and you
make a first attempt that fails, then no JS won't work because either
the first or second attempt has to hydrate.

We have ideas for potentially optimizing away serializing unused
arguments like if you don't actually use previous state which would also
solve it but it wouldn't cover all cases such as if it was deeply nested
in complex state.

Another approach that I considered was to poison the prev state if you
passed an element back but let it through to the action but if you try
to render the poisoned value, it wouldn't work. The downside of this is
when to error. Because in the progressive enhancement case it wouldn't
error early but when you actually try to invoke it at which point it
would be too late to fallback to client replaying. It would probably
have to always error even on the client which is unfortunate since this
mostly just works as long as it hydrates.

DiffTrain build for [fee786a](fee786a)
gnoff added a commit to gnoff/next.js that referenced this pull request Mar 25, 2024
@gnoff
Update React from 14898b6a9 to e373190fa
d674a96 
- facebook/react#28596
- facebook/react#28625
- facebook/react#28616
- facebook/react#28491
- facebook/react#28583
- facebook/react#28427
- facebook/react#28613
- facebook/react#28599
- facebook/react#28611
- facebook/react#28610
- facebook/react#28606
- facebook/react#28598
- facebook/react#28549
- facebook/react#28557
- facebook/react#28467
- facebook/react#28591
- facebook/react#28459
- facebook/react#28590
- facebook/react#28564
- facebook/react#28582
- facebook/react#28579
- facebook/react#28578
- facebook/react#28521
- facebook/react#28550
- facebook/react#28576
- facebook/react#28577
- facebook/react#28571
- facebook/react#28572
- facebook/react#28560
- facebook/react#28569
- facebook/react#28573
- facebook/react#28546
- facebook/react#28568
- facebook/react#28562
- facebook/react#28566
- facebook/react#28565
- facebook/react#28559
- facebook/react#28508
- facebook/react#20432
- facebook/react#28555
- facebook/react#24730
- facebook/react#28472
- facebook/react#27991
- facebook/react#28514
- facebook/react#28548
- facebook/react#28526
- facebook/react#28515
- facebook/react#28533
- facebook/react#28532
- facebook/react#28531
- facebook/react#28407
- facebook/react#28522
- facebook/react#28538
- facebook/react#28509
- facebook/react#28534
- facebook/react#28527
- facebook/react#28528
- facebook/react#28519
- facebook/react#28411
- facebook/react#28520
- facebook/react#28518
- facebook/react#28493
- facebook/react#28504
- facebook/react#28499
- facebook/react#28501
- facebook/react#28496
- facebook/react#28471
- facebook/react#28351
- facebook/react#28486
- facebook/react#28490
- facebook/react#28488
- facebook/react#28468
- facebook/react#28321
- facebook/react#28477
- facebook/react#28479
- facebook/react#28480
- facebook/react#28478
- facebook/react#28464
- facebook/react#28475
- facebook/react#28456
- facebook/react#28319
- facebook/react#28345
- facebook/react#28337
- facebook/react#28335
- facebook/react#28466
- facebook/react#28462
- facebook/react#28322
- facebook/react#28444
- facebook/react#28448
- facebook/react#28449
- facebook/react#28446
- facebook/react#28447
- facebook/react#24580
- facebook/react#28514
- facebook/react#28548
- facebook/react#28526
- facebook/react#28515
- facebook/react#28533
- facebook/react#28532
- facebook/react#28531
- facebook/react#28407
- facebook/react#28522
- facebook/react#28538
- facebook/react#28509
- facebook/react#28534
- facebook/react#28527
- facebook/react#28528
- facebook/react#28519
- facebook/react#28411
- facebook/react#28520
- facebook/react#28518
- facebook/react#28493
- facebook/react#28504
- facebook/react#28499
- facebook/react#28501
- facebook/react#28496
- facebook/react#28471
- facebook/react#28351
- facebook/react#28486
- facebook/react#28490
- facebook/react#28488
- facebook/react#28468
- facebook/react#28321
- facebook/react#28477
- facebook/react#28479
- facebook/react#28480
- facebook/react#28478
- facebook/react#28464
- facebook/react#28475
- facebook/react#28456
- facebook/react#28319
- facebook/react#28345
- facebook/react#28337
- facebook/react#28335
- facebook/react#28466
- facebook/react#28462
- facebook/react#28322
- facebook/react#28444
- facebook/react#28448
- facebook/react#28449
- facebook/react#28446
- facebook/react#28447
- facebook/react#24580
@gnoff gnoff mentioned this pull request Mar 25, 2024
Closed
gnoff added a commit to gnoff/next.js that referenced this pull request Mar 25, 2024
@gnoff
Update React from 14898b6a9 to e373190fa
1a2ce1f 
- facebook/react#28596
- facebook/react#28625
- facebook/react#28616
- facebook/react#28491
- facebook/react#28583
- facebook/react#28427
- facebook/react#28613
- facebook/react#28599
- facebook/react#28611
- facebook/react#28610
- facebook/react#28606
- facebook/react#28598
- facebook/react#28549
- facebook/react#28557
- facebook/react#28467
- facebook/react#28591
- facebook/react#28459
- facebook/react#28590
- facebook/react#28564
- facebook/react#28582
- facebook/react#28579
- facebook/react#28578
- facebook/react#28521
- facebook/react#28550
- facebook/react#28576
- facebook/react#28577
- facebook/react#28571
- facebook/react#28572
- facebook/react#28560
- facebook/react#28569
- facebook/react#28573
- facebook/react#28546
- facebook/react#28568
- facebook/react#28562
- facebook/react#28566
- facebook/react#28565
- facebook/react#28559
- facebook/react#28508
- facebook/react#20432
- facebook/react#28555
- facebook/react#24730
- facebook/react#28472
- facebook/react#27991
- facebook/react#28514
- facebook/react#28548
- facebook/react#28526
- facebook/react#28515
- facebook/react#28533
- facebook/react#28532
- facebook/react#28531
- facebook/react#28407
- facebook/react#28522
- facebook/react#28538
- facebook/react#28509
- facebook/react#28534
- facebook/react#28527
- facebook/react#28528
- facebook/react#28519
- facebook/react#28411
- facebook/react#28520
- facebook/react#28518
- facebook/react#28493
- facebook/react#28504
- facebook/react#28499
- facebook/react#28501
- facebook/react#28496
- facebook/react#28471
- facebook/react#28351
- facebook/react#28486
- facebook/react#28490
- facebook/react#28488
- facebook/react#28468
- facebook/react#28321
- facebook/react#28477
- facebook/react#28479
- facebook/react#28480
- facebook/react#28478
- facebook/react#28464
- facebook/react#28475
- facebook/react#28456
- facebook/react#28319
- facebook/react#28345
- facebook/react#28337
- facebook/react#28335
- facebook/react#28466
- facebook/react#28462
- facebook/react#28322
- facebook/react#28444
- facebook/react#28448
- facebook/react#28449
- facebook/react#28446
- facebook/react#28447
- facebook/react#24580
EdisonVan pushed a commit to EdisonVan/react that referenced this pull request Apr 15, 2024
@sebmarkbage @AndyPengc12
[Flight Reply] Don't allow Symbols to be passed to a reply (facebook#…
fdbc4ec 
…28610)

As mentioned in facebook#28609 there's a potential security risk if you allow a
passed value to the server to spoof Elements because it allows a hacker
to POST cross origin. This is only an issue if your framework allows
this which it shouldn't but it seems like we should provide an extra
layer of security here.

```js
function action(errors, payload) {
  try {
    ...
  } catch (x) {
    return [newError].concat(errors);
  }
}
```
```js
const [errors, formAction] = useActionState(action);
return <div>{errors}</div>;
```
This would allow you to construct a payload where the previous "errors"
set includes something like `<script src="danger.js" />`.

We could block only elements from being received but it could
potentially be a risk with creating other React types like Context too.
We use symbols as a way to securely brand these.

Most JS don't use this kind of branding with symbols like we do. They're
generally properties which we don't support anyway. However in theory
someone else could be using them like we do. So in an abundance of
carefulness I just ban all symbols from being passed (except by
temporary reference) - not just ours.

This means that the format isn't fully symmetric even beyond just React
Nodes.

facebook#28611 allows code that includes symbols/elements to continue working
but may have to bail out to replaying instead of no JS sometimes.
However, you still can't access the symbols inside the server - they're
by reference only.
EdisonVan pushed a commit to EdisonVan/react that referenced this pull request Apr 15, 2024
@sebmarkbage @AndyPengc12
[Fizz] Recover from errors thrown by progressive enhancement form gen…
f6cd96a 
…eration (facebook#28611)

This a follow up to facebook#28564. It's alternative to facebook#28609 which takes
facebook#28610 into account.

It used to be possible to return JSX from an action with
`useActionState`.

```js
async function action(errors, payload) {
  "use server";
  try {
    ...
  } catch (x) {
    return <div>Error message</div>;
  }
}
```

```js
const [errors, formAction] = useActionState(action);
return <div>{errors}</div>;
```

Returning JSX from an action is itself not anything problematic. It's
that it also has to return the previous state to the action reducer
again that's the problem. When this happens we accidentally could
serialize an Element back to the server.

I fixed this in facebook#28564 so it's now blocked if you don't have a temporary
reference set.

However, you can't have that for the progressive enhancement case. The
reply is eagerly encoded as part of the SSR render. Typically you
wouldn't have these in the initial state so the common case is that they
show up after the first POST back that yields an error and it's only in
the no-JS case where this happens so it's hard to discover.

As noted in facebook#28609 there's a security implication with allowing elements
to be sent across this kind of payload, so we can't just make it work.

When an error happens during SSR our general policy is to try to recover
on the client instead. After all, SSR is mainly a perf optimization in
React terms and it's not primarily intended for a no JS solution.

This PR takes the approach that if we fail to generate the progressive
enhancement payload. I.e. if the serialization of previous state /
closures throw. Then we fallback to the replaying semantics just client
actions instead which will succeed.

The effect of this is that this pattern mostly just works:

- First render in the typical case doesn't have any JSX in it so it just
renders a progressive enhanced form.
- If JS fails to hydrate or you click early we do a form POST. If that
hits an error and it tries to render it using JSX, then the new page
will render successfully - however this time with a Replaying form
instead.
- If you try to submit the form again it'll have to be using JS.

Meaning if you use JSX as the error return value of form state and you
make a first attempt that fails, then no JS won't work because either
the first or second attempt has to hydrate.

We have ideas for potentially optimizing away serializing unused
arguments like if you don't actually use previous state which would also
solve it but it wouldn't cover all cases such as if it was deeply nested
in complex state.

Another approach that I considered was to poison the prev state if you
passed an element back but let it through to the action but if you try
to render the poisoned value, it wouldn't work. The downside of this is
when to error. Because in the progressive enhancement case it wouldn't
error early but when you actually try to invoke it at which point it
would be too late to fallback to client replaying. It would probably
have to always error even on the client which is unfortunate since this
mostly just works as long as it hydrates.
eps1lon added a commit to vercel/next.js that referenced this pull request Apr 19, 2024
@eps1lon
Update React from 14898b6a9 to c3048aab4.
fc58bbc 
### React upstream changes

- facebook/react#28643
- facebook/react#28628
- facebook/react#28361
- facebook/react#28513
- facebook/react#28299
- facebook/react#28617
- facebook/react#28618
- facebook/react#28621
- facebook/react#28614
- facebook/react#28596
- facebook/react#28625
- facebook/react#28616
- facebook/react#28491
- facebook/react#28583
- facebook/react#28427
- facebook/react#28613
- facebook/react#28599
- facebook/react#28611
- facebook/react#28610
- facebook/react#28606
- facebook/react#28598
- facebook/react#28549
- facebook/react#28557
- facebook/react#28467
- facebook/react#28591
- facebook/react#28459
- facebook/react#28590
- facebook/react#28564
- facebook/react#28582
- facebook/react#28579
- facebook/react#28578
- facebook/react#28521
- facebook/react#28550
- facebook/react#28576
- facebook/react#28577
- facebook/react#28571
- facebook/react#28572
- facebook/react#28560
- facebook/react#28569
- facebook/react#28573
- facebook/react#28546
- facebook/react#28568
- facebook/react#28562
- facebook/react#28566
- facebook/react#28565
- facebook/react#28559
- facebook/react#28508
- facebook/react#20432
- facebook/react#28555
- facebook/react#24730
- facebook/react#28472
- facebook/react#27991
- facebook/react#28514
- facebook/react#28548
- facebook/react#28526
- facebook/react#28515
- facebook/react#28533
- facebook/react#28532
- facebook/react#28531
- facebook/react#28407
- facebook/react#28522
- facebook/react#28538
- facebook/react#28509
- facebook/react#28534
- facebook/react#28527
- facebook/react#28528
- facebook/react#28519
- facebook/react#28411
- facebook/react#28520
- facebook/react#28518
- facebook/react#28493
- facebook/react#28504
- facebook/react#28499
- facebook/react#28501
- facebook/react#28496
- facebook/react#28471
- facebook/react#28351
- facebook/react#28486
- facebook/react#28490
- facebook/react#28488
- facebook/react#28468
- facebook/react#28321
- facebook/react#28477
- facebook/react#28479
- facebook/react#28480
- facebook/react#28478
- facebook/react#28464
- facebook/react#28475
- facebook/react#28456
- facebook/react#28319
- facebook/react#28345
- facebook/react#28337
- facebook/react#28335
- facebook/react#28466
- facebook/react#28462
- facebook/react#28322
- facebook/react#28444
- facebook/react#28448
- facebook/react#28449
- facebook/react#28446
- facebook/react#28447
- facebook/react#24580
- facebook/react#28514
- facebook/react#28548
- facebook/react#28526
- facebook/react#28515
- facebook/react#28533
- facebook/react#28532
- facebook/react#28531
- facebook/react#28407
- facebook/react#28522
- facebook/react#28538
- facebook/react#28509
- facebook/react#28534
- facebook/react#28527
- facebook/react#28528
- facebook/react#28519
- facebook/react#28411
- facebook/react#28520
- facebook/react#28518
- facebook/react#28493
- facebook/react#28504
- facebook/react#28499
- facebook/react#28501
- facebook/react#28496
- facebook/react#28471
- facebook/react#28351
- facebook/react#28486
- facebook/react#28490
- facebook/react#28488
- facebook/react#28468
- facebook/react#28321
- facebook/react#28477
- facebook/react#28479
- facebook/react#28480
- facebook/react#28478
- facebook/react#28464
- facebook/react#28475
- facebook/react#28456
- facebook/react#28319
- facebook/react#28345
- facebook/react#28337
- facebook/react#28335
- facebook/react#28466
- facebook/react#28462
- facebook/react#28322
- facebook/react#28444
- facebook/react#28448
- facebook/react#28449
- facebook/react#28446
- facebook/react#28447
- facebook/react#24580
@eps1lon eps1lon mentioned this pull request Apr 19, 2024
Merged
@sebmarkbage sebmarkbage mentioned this pull request May 10, 2024
Closed
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gnoff gnoff gnoff approved these changes

@acdlite acdlite Awaiting requested review from acdlite

Assignees
No one assigned
Labels
CLA Signed React Core Team Opened by a member of the React Core Team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@sebmarkbage @react-sizebot @gnoff @facebook-github-bot