Skip to content

fix(@angular/ssr): disallow x-forwarded-prefix starting with a backslash#32771

Merged
alan-agius4 merged 2 commits intoangular:mainfrom
alan-agius4:prefix-url
Mar 17, 2026
Merged

fix(@angular/ssr): disallow x-forwarded-prefix starting with a backslash#32771
alan-agius4 merged 2 commits intoangular:mainfrom
alan-agius4:prefix-url

Conversation

@alan-agius4
Copy link
Collaborator

@alan-agius4 alan-agius4 commented Mar 16, 2026

Updated the INVALID_PREFIX_REGEX to ensure that prefixes starting with a backslash are considered invalid. Previously, only multiple slashes or dot segments were explicitly disallowed at the start.

Also updated the associated validation error message and unit tests to reflect this change.

@alan-agius4 alan-agius4 requested a review from dgp1130 March 16, 2026 09:20
@alan-agius4 alan-agius4 added action: review The PR is still awaiting reviews from at least one requested reviewer target: patch This PR is targeted for the next patch release labels Mar 16, 2026
gemini-code-assist[bot]
gemini-code-assist bot reviewed Mar 16, 2026
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request correctly addresses a validation gap by disallowing x-forwarded-prefix headers that start with a backslash. The regular expression has been updated effectively, and a corresponding test case has been added to cover this scenario. My review includes a few suggestions to improve the clarity of the error message and a related test description to ensure they accurately reflect all invalid prefix conditions being checked.

@alan-agius4 alan-agius4 force-pushed the prefix-url branch 3 times, most recently from 2210255 to c626eac Compare March 16, 2026 13:09
dgp1130
dgp1130 approved these changes Mar 16, 2026
View reviewed changes
@alan-agius4
fix(@angular/ssr): disallow x-forwarded-prefix starting with a backslash
ec603ba 
Updated the INVALID_PREFIX_REGEX to ensure that prefixes starting with a backslash are considered invalid. Previously, only multiple slashes or dot segments were explicitly disallowed at the start.

Also updated the associated validation error message and unit tests to reflect this change.
@alan-agius4
fix(@angular/ssr): support custom headers in redirect responses
9bb8f74 
Updates createRedirectResponse to accept an optional Record<string, string> of headers, allowing custom headers to be merged into the redirect response. The Location and Vary: X-Forwarded-Prefix headers are automatically set to ensure correct routing and proxy behavior.

AngularServerApp now passes relevant headers from the matched route or response context when creating a redirect.
@alan-agius4 alan-agius4 added action: merge The PR is ready for merge by the caretaker and removed action: review The PR is still awaiting reviews from at least one requested reviewer labels Mar 17, 2026
@alan-agius4 alan-agius4 merged commit 998b829 into angular:main Mar 17, 2026
35 checks passed
@alan-agius4 alan-agius4 deleted the prefix-url branch March 17, 2026 09:56
@alan-agius4
Copy link
Collaborator Author

alan-agius4 commented Mar 17, 2026

This PR was merged into the repository. The changes were merged into the following branches:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dgp1130 dgp1130 dgp1130 approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

action: merge The PR is ready for merge by the caretaker area: @angular/ssr target: patch This PR is targeted for the next patch release

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alan-agius4 @dgp1130