separate the tests

ztanner · ztanner · commit e9d5090f2d3b · 2025-03-21T16:46:18.000-07:00
diff --git a/packages/next/src/server/lib/router-utils/block-cross-site.ts b/packages/next/src/server/lib/router-utils/block-cross-site.ts
@@ -7,19 +7,20 @@ import { isCsrfOriginAllowed } from '../../app-render/csrf-protection'
 
 function warnOrBlockRequest(
   res: ServerResponse | Duplex,
-  requestPath: string,
+  origin: string | undefined,
   mode: 'warn' | 'block'
 ): boolean {
+  const originString = origin ? `from ${origin}` : ''
   if (mode === 'warn') {
     warnOnce(
-      `Cross origin request detected from ${requestPath}. In a future major version of Next.js, you will need to explicitly configure "allowedDevOrigins" in next.config to allow this.\nRead more: https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins`
+      `Cross origin request detected ${originString} to /_next/* resource. In a future major version of Next.js, you will need to explicitly configure "allowedDevOrigins" in next.config to allow this.\nRead more: https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins`
     )
 
     return false
   }
 
   warnOnce(
-    `Blocked cross-origin request from ${requestPath}. To allow this, configure "allowedDevOrigins" in next.config\nRead more: https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins`
+    `Blocked cross-origin request ${originString} to /_next/* resource. To allow this, configure "allowedDevOrigins" in next.config\nRead more: https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins`
   )
 
   if ('statusCode' in res) {
@@ -61,7 +62,7 @@ export const blockCrossSite = (
     req.headers['sec-fetch-mode'] === 'no-cors' &&
     req.headers['sec-fetch-site'] === 'cross-site'
   ) {
-    return warnOrBlockRequest(res, ' /_next/*', mode)
+    return warnOrBlockRequest(res, undefined, mode)
   }
 
   // ensure websocket requests from allowed origin
diff --git a/test/development/basic/allowed-dev-origins.test.ts b/test/development/basic/allowed-dev-origins.test.ts
@@ -0,0 +1,277 @@
+import http from 'http'
+import { join } from 'path'
+import webdriver from 'next-webdriver'
+import { createNext, FileRef } from 'e2e-utils'
+import { NextInstance } from 'e2e-utils'
+import { fetchViaHTTP, findPort, retry } from 'next-test-utils'
+
+describe.each([['', '/docs']])(
+  'allowed-dev-origins, basePath: %p',
+  (basePath: string) => {
+    let next: NextInstance
+
+    describe('warn mode', () => {
+      beforeAll(async () => {
+        next = await createNext({
+          files: {
+            pages: new FileRef(join(__dirname, 'misc/pages')),
+            public: new FileRef(join(__dirname, 'misc/public')),
+          },
+          nextConfig: {
+            basePath,
+          },
+        })
+
+        await retry(async () => {
+          // make sure host server is running
+          const asset = await fetchViaHTTP(
+            next.appPort,
+            '/_next/static/chunks/pages/_app.js'
+          )
+          expect(asset.status).toBe(200)
+        })
+      })
+      afterAll(() => next.destroy())
+
+      it('should warn about WebSocket from cross-site', async () => {
+        let server = http.createServer((req, res) => {
+          res.end(`
+              <html>
+                <head>
+                  <title>testing cross-site</title>
+                </head>
+                <body></body>
+              </html>
+            `)
+        })
+        try {
+          const port = await findPort()
+          await new Promise<void>((res) => {
+            server.listen(port, () => res())
+          })
+          const websocketSnippet = `(() => {
+              const statusEl = document.createElement('p')
+              statusEl.id = 'status'
+              document.querySelector('body').appendChild(statusEl)
+  
+              const ws = new WebSocket("${next.url}/_next/webpack-hmr")
+              
+              ws.addEventListener('error', (err) => {
+                statusEl.innerText = 'error'
+              })
+              ws.addEventListener('open', () => {
+                statusEl.innerText = 'connected'
+              })
+            })()`
+
+          // ensure direct port with mismatching port is blocked
+          const browser = await webdriver(`http://127.0.0.1:${port}`, '/about')
+          await browser.eval(websocketSnippet)
+          await retry(async () => {
+            expect(await browser.elementByCss('#status').text()).toBe(
+              'connected'
+            )
+          })
+
+          // ensure different host is blocked
+          await browser.get(`https://example.vercel.sh/`)
+          await browser.eval(websocketSnippet)
+          await retry(async () => {
+            expect(await browser.elementByCss('#status').text()).toBe(
+              'connected'
+            )
+          })
+
+          expect(next.cliOutput).toContain('Cross origin request detected from')
+        } finally {
+          server.close()
+        }
+      })
+
+      it('should not allow loading scripts from cross-site', async () => {
+        let server = http.createServer((req, res) => {
+          res.end(`
+              <html>
+                <head>
+                  <title>testing cross-site</title>
+                </head>
+                <body></body>
+              </html>
+            `)
+        })
+        try {
+          const port = await findPort()
+          await new Promise<void>((res) => {
+            server.listen(port, () => res())
+          })
+          const scriptSnippet = `(() => {
+              const statusEl = document.createElement('p')
+              statusEl.id = 'status'
+              document.querySelector('body').appendChild(statusEl)
+  
+              const script = document.createElement('script')
+              script.src = "${next.url}/_next/static/chunks/pages/_app.js"
+              
+              script.onerror = (err) => {
+                statusEl.innerText = 'error'
+              }
+              script.onload = () => {
+                statusEl.innerText = 'connected'
+              }
+              document.querySelector('body').appendChild(script)
+            })()`
+
+          // ensure direct port with mismatching port is blocked
+          const browser = await webdriver(`http://127.0.0.1:${port}`, '/about')
+          await browser.eval(scriptSnippet)
+
+          await retry(async () => {
+            expect(await browser.elementByCss('#status').text()).toBe(
+              'connected'
+            )
+          })
+
+          // ensure different host is blocked
+          await browser.get(`https://example.vercel.sh/`)
+          await browser.eval(scriptSnippet)
+
+          await retry(async () => {
+            expect(await browser.elementByCss('#status').text()).toBe(
+              'connected'
+            )
+          })
+
+          expect(next.cliOutput).toContain('Cross origin request detected from')
+        } finally {
+          server.close()
+        }
+      })
+    })
+
+    describe('block mode', () => {
+      beforeAll(async () => {
+        next = await createNext({
+          files: {
+            pages: new FileRef(join(__dirname, 'misc/pages')),
+            public: new FileRef(join(__dirname, 'misc/public')),
+          },
+          nextConfig: {
+            basePath,
+            allowedDevOrigins: ['localhost'],
+          },
+        })
+
+        await retry(async () => {
+          // make sure host server is running
+          const asset = await fetchViaHTTP(
+            next.appPort,
+            '/_next/static/chunks/pages/_app.js'
+          )
+          expect(asset.status).toBe(200)
+        })
+      })
+      afterAll(() => next.destroy())
+
+      it('should not allow dev WebSocket from cross-site', async () => {
+        let server = http.createServer((req, res) => {
+          res.end(`
+              <html>
+                <head>
+                  <title>testing cross-site</title>
+                </head>
+                <body></body>
+              </html>
+            `)
+        })
+        try {
+          const port = await findPort()
+          await new Promise<void>((res) => {
+            server.listen(port, () => res())
+          })
+          const websocketSnippet = `(() => {
+              const statusEl = document.createElement('p')
+              statusEl.id = 'status'
+              document.querySelector('body').appendChild(statusEl)
+  
+              const ws = new WebSocket("${next.url}/_next/webpack-hmr")
+              
+              ws.addEventListener('error', (err) => {
+                statusEl.innerText = 'error'
+              })
+              ws.addEventListener('open', () => {
+                statusEl.innerText = 'connected'
+              })
+            })()`
+
+          // ensure direct port with mismatching port is blocked
+          const browser = await webdriver(`http://127.0.0.1:${port}`, '/about')
+          await browser.eval(websocketSnippet)
+          await retry(async () => {
+            expect(await browser.elementByCss('#status').text()).toBe('error')
+          })
+
+          // ensure different host is blocked
+          await browser.get(`https://example.vercel.sh/`)
+          await browser.eval(websocketSnippet)
+          await retry(async () => {
+            expect(await browser.elementByCss('#status').text()).toBe('error')
+          })
+        } finally {
+          server.close()
+        }
+      })
+
+      it('should not allow loading scripts from cross-site', async () => {
+        let server = http.createServer((req, res) => {
+          res.end(`
+              <html>
+                <head>
+                  <title>testing cross-site</title>
+                </head>
+                <body></body>
+              </html>
+            `)
+        })
+        try {
+          const port = await findPort()
+          await new Promise<void>((res) => {
+            server.listen(port, () => res())
+          })
+          const scriptSnippet = `(() => {
+              const statusEl = document.createElement('p')
+              statusEl.id = 'status'
+              document.querySelector('body').appendChild(statusEl)
+  
+              const script = document.createElement('script')
+              script.src = "${next.url}/_next/static/chunks/pages/_app.js"
+              
+              script.onerror = (err) => {
+                statusEl.innerText = 'error'
+              }
+              script.onload = () => {
+                statusEl.innerText = 'connected'
+              }
+              document.querySelector('body').appendChild(script)
+            })()`
+
+          // ensure direct port with mismatching port is blocked
+          const browser = await webdriver(`http://127.0.0.1:${port}`, '/about')
+          await browser.eval(scriptSnippet)
+          await retry(async () => {
+            expect(await browser.elementByCss('#status').text()).toBe('error')
+          })
+
+          // ensure different host is blocked
+          await browser.get(`https://example.vercel.sh/`)
+          await browser.eval(scriptSnippet)
+
+          await retry(async () => {
+            expect(await browser.elementByCss('#status').text()).toBe('error')
+          })
+        } finally {
+          server.close()
+        }
+      })
+    })
+  }
+)
diff --git a/test/development/basic/misc.test.ts b/test/development/basic/misc.test.ts
