react-router 7.11.0 → 7.12.0-pre.0

package/CHANGELOG.md

@@ -1,5 +1,50 @@
 # `react-router`
 
+## 7.12.0-pre.0
+
+### Minor Changes
+
+- Add additional layer of CSRF protection by rejecting submissions to UI routes from external origins. If you need to permit access to specific external origins, you can specify them in the `react-router.config.ts` config `allowedActionOrigins` field. ([#14708](https://github.com/remix-run/react-router/pull/14708))
+
+### Patch Changes
+
+- Fix `generatePath` when used with suffixed params (i.e., "/books/:id.json") ([#14269](https://github.com/remix-run/react-router/pull/14269))
+- Export `UNSAFE_createMemoryHistory` and `UNSAFE_createHashHistory` alongside `UNSAFE_createBrowserHistory` for consistency. These are not intended to be used for new apps but intended to help apps usiong `unstable_HistoryRouter` migrate from v6->v7 so they can adopt the newer APIs. ([#14663](https://github.com/remix-run/react-router/pull/14663))
+- Escape HTML in scroll restoration keys ([#14705](https://github.com/remix-run/react-router/pull/14705))
+- Validate redirect locations ([#14706](https://github.com/remix-run/react-router/pull/14706))
+- [UNSTABLE] Pass `<Scripts nonce>` value through to the underlying `importmap` `script` tag when using `future.unstable_subResourceIntegrity` ([#14675](https://github.com/remix-run/react-router/pull/14675))
+- [UNSTABLE] Add a new `future.unstable_trailingSlashAwareDataRequests` flag to provide consistent behavior of `request.pathname` inside `middleware`, `loader`, and `action` functions on document and data requests when a trailing slash is present in the browser URL. ([#14644](https://github.com/remix-run/react-router/pull/14644))
+
+  Currently, your HTTP and `request` pathnames would be as follows for `/a/b/c` and `/a/b/c/`
+
+  | URL `/a/b/c` | **HTTP pathname** | **`request` pathname`** |
+  | ------------ | ----------------- | ----------------------- |
+  | **Document** | `/a/b/c`          | `/a/b/c` ✅             |
+  | **Data**     | `/a/b/c.data`     | `/a/b/c` ✅             |
+
+  | URL `/a/b/c/` | **HTTP pathname** | **`request` pathname`** |
+  | ------------- | ----------------- | ----------------------- |
+  | **Document**  | `/a/b/c/`         | `/a/b/c/` ✅            |
+  | **Data**      | `/a/b/c.data`     | `/a/b/c` ⚠️             |
+
+  With this flag enabled, these pathnames will be made consistent though a new `_.data` format for client-side `.data` requests:
+
+  | URL `/a/b/c` | **HTTP pathname** | **`request` pathname`** |
+  | ------------ | ----------------- | ----------------------- |
+  | **Document** | `/a/b/c`          | `/a/b/c` ✅             |
+  | **Data**     | `/a/b/c.data`     | `/a/b/c` ✅             |
+
+  | URL `/a/b/c/` | **HTTP pathname**  | **`request` pathname`** |
+  | ------------- | ------------------ | ----------------------- |
+  | **Document**  | `/a/b/c/`          | `/a/b/c/` ✅            |
+  | **Data**      | `/a/b/c/_.data` ⬅️ | `/a/b/c/` ✅            |
+
+  This a bug fix but we are putting it behind an opt-in flag because it has the potential to be a "breaking bug fix" if you are relying on the URL format for any other application or caching logic.
+
+  Enabling this flag also changes the format of client side `.data` requests from `/_root.data` to `/_.data` when navigating to `/` to align with the new format. This does not impact the `request` pathname which is still `/` in all cases.
+
+- Preserve `clientLoader.hydrate=true` when using `<HydratedRouter unstable_instrumentations>` ([#14674](https://github.com/remix-run/react-router/pull/14674))
+
 ## 7.11.0
 
 ### Minor Changes
@@ -19,14 +64,12 @@
 - \[UNSTABLE] Add a new `unstable_defaultShouldRevalidate` flag to various APIs to allow opt-ing out of standard revalidation behaviors. ([#14542](https://github.com/remix-run/react-router/pull/14542))
 
   If active routes include a `shouldRevalidate` function, then your value will be passed as `defaultShouldRevalidate` in those function so that the route always has the final revalidation determination.
-
   - `<Form method="post" unstable_defaultShouldRevalidate={false}>`
   - `submit(data, { method: "post", unstable_defaultShouldRevalidate: false })`
   - `<fetcher.Form method="post" unstable_defaultShouldRevalidate={false}>`
   - `fetcher.submit(data, { method: "post", unstable_defaultShouldRevalidate: false })`
 
   This is also available on non-submission APIs that may trigger revalidations due to changing search params:
-
   - `<Link to="/" unstable_defaultShouldRevalidate={false}>`
   - `navigate("/?foo=bar", { unstable_defaultShouldRevalidate: false })`
   - `setSearchParams(params, { unstable_defaultShouldRevalidate: false })`
@@ -49,7 +92,6 @@
   - ⚠️ This is a breaking change if you have begun using `fetcher.unstable_reset()`
 
 - Stabilize the `dataStrategy` `match.shouldRevalidateArgs`/`match.shouldCallHandler()` APIs. ([#14592](https://github.com/remix-run/react-router/pull/14592))
-
   - The `match.shouldLoad` API is now marked deprecated in favor of these more powerful alternatives
 
   - If you're using this API in a custom `dataStrategy` today, you can swap to the new API at your convenience:
@@ -178,7 +220,6 @@
 - Ensure action handlers run for routes with middleware even if no loader is present ([#14443](https://github.com/remix-run/react-router/pull/14443))
 
 - Add `unstable_instrumentations` API to allow users to add observablity to their apps by instrumenting route loaders, actions, middlewares, lazy, as well as server-side request handlers and client side navigations/fetches ([#14412](https://github.com/remix-run/react-router/pull/14412))
-
   - Framework Mode:
     - `entry.server.tsx`: `export const unstable_instrumentations = [...]`
     - `entry.client.tsx`: `<HydratedRouter unstable_instrumentations={[...]} />`
@@ -340,7 +381,6 @@
 - Stabilize middleware and context APIs. ([#14215](https://github.com/remix-run/react-router/pull/14215))
 
   We have removed the `unstable_` prefix from the following APIs and they are now considered stable and ready for production use:
-
   - [`RouterContextProvider`](https://reactrouter.com/api/utils/RouterContextProvider)
   - [`createContext`](https://reactrouter.com/api/utils/createContext)
   - `createBrowserRouter` [`getContext`](https://reactrouter.com/api/data-routers/createBrowserRouter#optsgetcontext) option
@@ -367,7 +407,7 @@
 
 - \[UNSTABLE] Add `<RouterProvider unstable_onError>`/`<HydratedRouter unstable_onError>` prop for client side error reporting ([#14162](https://github.com/remix-run/react-router/pull/14162))
 
-- server action revalidation opt out via $SKIP\_REVALIDATION field ([#14154](https://github.com/remix-run/react-router/pull/14154))
+- server action revalidation opt out via $SKIP_REVALIDATION field ([#14154](https://github.com/remix-run/react-router/pull/14154))
 
 - Properly escape interpolated param values in `generatePath()` ([#13530](https://github.com/remix-run/react-router/pull/13530))
 
@@ -416,7 +456,6 @@
 - Remove dependency on `@types/node` in TypeScript declaration files ([#14059](https://github.com/remix-run/react-router/pull/14059))
 
 - Fix types for `UIMatch` to reflect that the `loaderData`/`data` properties may be `undefined` ([#12206](https://github.com/remix-run/react-router/pull/12206))
-
   - When an `ErrorBoundary` is being rendered, not all active matches will have loader data available, since it may have been their `loader` that threw to trigger the boundary
   - The `UIMatch.data` type was not correctly handing this and would always reflect the presence of data, leading to the unexpected runtime errors when an `ErrorBoundary` was rendered
   - ⚠️ This may cause some type errors to show up in your code for unguarded `match.data` accesses - you should properly guard for `undefined` values in those scenarios.
@@ -450,7 +489,6 @@
 - \[UNSTABLE] When middleware is enabled, make the `context` parameter read-only (via `Readonly<unstable_RouterContextProvider>`) so that TypeScript will not allow you to write arbitrary fields to it in loaders, actions, or middleware. ([#14097](https://github.com/remix-run/react-router/pull/14097))
 
 - \[UNSTABLE] Rename and alter the signature/functionality of the `unstable_respond` API in `staticHandler.query`/`staticHandler.queryRoute` ([#14103](https://github.com/remix-run/react-router/pull/14103))
-
   - The API has been renamed to `unstable_generateMiddlewareResponse` for clarity
   - The main functional change is that instead of running the loaders/actions before calling `unstable_respond` and handing you the result, we now pass a `query`/`queryRoute` function as a parameter and you execute the loaders/actions inside your callback, giving you full access to pre-processing and error handling
   - The `query` version of the API now has a signature of `(query: (r: Request) => Promise<StaticHandlerContext | Response>) => Promise<Response>`
@@ -1096,7 +1134,6 @@
   ```
 
   Similar to server-side requests, a fresh `context` will be created per navigation (or `fetcher` call). If you have initial data you'd like to populate in the context for every request, you can provide an `unstable_getContext` function at the root of your app:
-
   - Library mode - `createBrowserRouter(routes, { unstable_getContext })`
   - Framework mode - `<HydratedRouter unstable_getContext>`
 
@@ -1284,7 +1321,6 @@ _No changes_
 - Remove `future.v7_normalizeFormMethod` future flag ([#11697](https://github.com/remix-run/react-router/pull/11697))
 
 - For Remix consumers migrating to React Router, the `crypto` global from the [Web Crypto API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API) is now required when using cookie and session APIs. This means that the following APIs are provided from `react-router` rather than platform-specific packages: ([#11837](https://github.com/remix-run/react-router/pull/11837))
-
   - `createCookie`
   - `createCookieSessionStorage`
   - `createMemorySessionStorage`
@@ -1293,7 +1329,6 @@ _No changes_
   For consumers running older versions of Node, the `installGlobals` function from `@remix-run/node` has been updated to define `globalThis.crypto`, using [Node's `require('node:crypto').webcrypto` implementation.](https://nodejs.org/api/webcrypto.html)
 
   Since platform-specific packages no longer need to implement this API, the following low-level APIs have been removed:
-
   - `createCookieFactory`
   - `createSessionStorageFactory`
   - `createCookieSessionStorageFactory`
@@ -1449,7 +1484,6 @@ _No changes_
   ```
 
   This initial implementation targets type inference for:
-
   - `Params` : Path parameters from your routing config in `routes.ts` including file-based routing
   - `LoaderData` : Loader data from `loader` and/or `clientLoader` within your route module
   - `ActionData` : Action data from `action` and/or `clientAction` within your route module
@@ -1464,7 +1498,6 @@ _No changes_
   ```
 
   Check out our docs for more:
-
   - [_Explanations > Type Safety_](https://reactrouter.com/dev/guides/explanation/type-safety)
   - [_How-To > Setting up type safety_](https://reactrouter.com/dev/guides/how-to/setting-up-type-safety)
 

package/dist/development/{browser-Cv4JZyZ5.d.mts → browser-BEPxnEBW.d.mts}

@@ -1,5 +1,5 @@
 import * as React from 'react';
-import { L as Location, C as ClientActionFunction, a as ClientLoaderFunction, b as LinksFunction, M as MetaFunction, S as ShouldRevalidateFunction, P as Params, c as RouterContextProvider, A as ActionFunction, H as HeadersFunction, d as LoaderFunction, e as RouterInit } from './router-5fbeEIMQ.mjs';
+import { L as Location, C as ClientActionFunction, a as ClientLoaderFunction, b as LinksFunction, M as MetaFunction, S as ShouldRevalidateFunction, P as Params, c as RouterContextProvider, A as ActionFunction, H as HeadersFunction, d as LoaderFunction, e as RouterInit } from './router-5iOvts3c.mjs';
 
 type RSCRouteConfigEntryBase = {
     action?: ActionFunction;
@@ -138,6 +138,7 @@ type LoadServerActionFunction = (id: string) => Promise<Function>;
  * @category RSC
  * @mode data
  * @param opts Options
+ * @param opts.allowedActionOrigins Origin patterns that are allowed to execute actions.
  * @param opts.basename The basename to use when matching the request.
  * @param opts.createTemporaryReferenceSet A function that returns a temporary
  * reference set for the request, used to track temporary references in the [RSC](https://react.dev/reference/rsc/server-components)
@@ -167,7 +168,8 @@ type LoadServerActionFunction = (id: string) => Promise<Function>;
  * that contains the [RSC](https://react.dev/reference/rsc/server-components)
  * data for hydration.
  */
-declare function matchRSCServerRequest({ createTemporaryReferenceSet, basename, decodeReply, requestContext, loadServerAction, decodeAction, decodeFormState, onError, request, routes, generateResponse, }: {
+declare function matchRSCServerRequest({ allowedActionOrigins, createTemporaryReferenceSet, basename, decodeReply, requestContext, loadServerAction, decodeAction, decodeFormState, onError, request, routes, generateResponse, }: {
+    allowedActionOrigins?: string[];
     createTemporaryReferenceSet: () => unknown;
     basename?: string;
     decodeReply?: DecodeReplyFunction;

package/dist/{production/browser-Cv4JZyZ5.d.mts → development/browser-CJ9_du-U.d.ts}

@@ -1,5 +1,5 @@
 import * as React from 'react';
-import { L as Location, C as ClientActionFunction, a as ClientLoaderFunction, b as LinksFunction, M as MetaFunction, S as ShouldRevalidateFunction, P as Params, c as RouterContextProvider, A as ActionFunction, H as HeadersFunction, d as LoaderFunction, e as RouterInit } from './router-5fbeEIMQ.mjs';
+import { L as Location, C as ClientActionFunction, a as ClientLoaderFunction, b as LinksFunction, M as MetaFunction, S as ShouldRevalidateFunction, P as Params, c as RouterContextProvider, A as ActionFunction, H as HeadersFunction, d as LoaderFunction, e as RouterInit } from './instrumentation-DvHY1sgY.js';
 
 type RSCRouteConfigEntryBase = {
     action?: ActionFunction;
@@ -138,6 +138,7 @@ type LoadServerActionFunction = (id: string) => Promise<Function>;
  * @category RSC
  * @mode data
  * @param opts Options
+ * @param opts.allowedActionOrigins Origin patterns that are allowed to execute actions.
  * @param opts.basename The basename to use when matching the request.
  * @param opts.createTemporaryReferenceSet A function that returns a temporary
  * reference set for the request, used to track temporary references in the [RSC](https://react.dev/reference/rsc/server-components)
@@ -167,7 +168,8 @@ type LoadServerActionFunction = (id: string) => Promise<Function>;
  * that contains the [RSC](https://react.dev/reference/rsc/server-components)
  * data for hydration.
  */
-declare function matchRSCServerRequest({ createTemporaryReferenceSet, basename, decodeReply, requestContext, loadServerAction, decodeAction, decodeFormState, onError, request, routes, generateResponse, }: {
+declare function matchRSCServerRequest({ allowedActionOrigins, createTemporaryReferenceSet, basename, decodeReply, requestContext, loadServerAction, decodeAction, decodeFormState, onError, request, routes, generateResponse, }: {
+    allowedActionOrigins?: string[];
     createTemporaryReferenceSet: () => unknown;
     basename?: string;
     decodeReply?: DecodeReplyFunction;

package/dist/development/{chunk-YNUBSHFH.mjs → chunk-2RQJSHF5.mjs}

@@ -1,5 +1,5 @@
 /**
- * react-router v7.11.0
+ * react-router v7.12.0-pre.0
  *
  * Copyright (c) Remix Software Inc.
  *
@@ -51,7 +51,7 @@ import {
   withComponentProps,
   withErrorBoundaryProps,
   withHydrateFallbackProps
-} from "./chunk-JMJ3UQ3L.mjs";
+} from "./chunk-KYKH2NCS.mjs";
 
 // lib/dom/ssr/server.tsx
 import * as React from "react";
@@ -138,7 +138,8 @@ function createRoutesStub(routes, _context) {
       frameworkContextRef.current = {
         future: {
           unstable_subResourceIntegrity: future?.unstable_subResourceIntegrity === true,
-          v8_middleware: future?.v8_middleware === true
+          v8_middleware: future?.v8_middleware === true,
+          unstable_trailingSlashAwareDataRequests: future?.unstable_trailingSlashAwareDataRequests === true
         },
         manifest: {
           routes: {},
@@ -754,6 +755,85 @@ function prependCookies(parentHeaders, childHeaders) {
   }
 }
 
+// lib/actions.ts
+function throwIfPotentialCSRFAttack(headers, allowedActionOrigins) {
+  let originHeader = headers.get("origin");
+  let originDomain = typeof originHeader === "string" && originHeader !== "null" ? new URL(originHeader).host : originHeader;
+  let host = parseHostHeader(headers);
+  if (originDomain && (!host || originDomain !== host.value)) {
+    if (!isAllowedOrigin(originDomain, allowedActionOrigins)) {
+      if (host) {
+        throw new Error(
+          `${host.type} header does not match \`origin\` header from a forwarded action request. Aborting the action.`
+        );
+      } else {
+        throw new Error(
+          "`x-forwarded-host` or `host` headers are not provided. One of these is needed to compare the `origin` header from a forwarded action request. Aborting the action."
+        );
+      }
+    }
+  }
+}
+function matchWildcardDomain(domain, pattern) {
+  const domainParts = domain.split(".");
+  const patternParts = pattern.split(".");
+  if (patternParts.length < 1) {
+    return false;
+  }
+  if (domainParts.length < patternParts.length) {
+    return false;
+  }
+  if (patternParts.length === 1 && (patternParts[0] === "*" || patternParts[0] === "**")) {
+    return false;
+  }
+  while (patternParts.length) {
+    const patternPart = patternParts.pop();
+    const domainPart = domainParts.pop();
+    switch (patternPart) {
+      case "": {
+        return false;
+      }
+      case "*": {
+        if (domainPart) {
+          continue;
+        } else {
+          return false;
+        }
+      }
+      case "**": {
+        if (patternParts.length > 0) {
+          return false;
+        }
+        return domainPart !== void 0;
+      }
+      case void 0:
+      default: {
+        if (domainPart !== patternPart) {
+          return false;
+        }
+      }
+    }
+  }
+  return domainParts.length === 0;
+}
+function isAllowedOrigin(originDomain, allowedActionOrigins = []) {
+  return allowedActionOrigins.some(
+    (allowedOrigin) => allowedOrigin && (allowedOrigin === originDomain || matchWildcardDomain(originDomain, allowedOrigin))
+  );
+}
+function parseHostHeader(headers) {
+  let forwardedHostHeader = headers.get("x-forwarded-host");
+  let forwardedHostValue = forwardedHostHeader?.split(",")[0]?.trim();
+  let hostHeader = headers.get("host");
+  return forwardedHostValue ? {
+    type: "x-forwarded-host",
+    value: forwardedHostValue
+  } : hostHeader ? {
+    type: "host",
+    value: hostHeader
+  } : void 0;
+}
+
 // lib/server-runtime/single-fetch.ts
 var SERVER_NO_BODY_STATUS_CODES = /* @__PURE__ */ new Set([
   ...NO_BODY_STATUS_CODES,
@@ -761,6 +841,10 @@ var SERVER_NO_BODY_STATUS_CODES = /* @__PURE__ */ new Set([
 ]);
 async function singleFetchAction(build, serverMode, staticHandler, request, handlerUrl, loadContext, handleError) {
   try {
+    throwIfPotentialCSRFAttack(
+      request.headers,
+      Array.isArray(build.allowedActionOrigins) ? build.allowedActionOrigins : []
+    );
     let handlerRequest = new Request(handlerUrl, {
       method: request.method,
       body: request.body,
@@ -1041,13 +1125,21 @@ function derive(build, mode) {
     let url = new URL(request.url);
     let normalizedBasename = build.basename || "/";
     let normalizedPath = url.pathname;
-    if (stripBasename(normalizedPath, normalizedBasename) === "/_root.data") {
-      normalizedPath = normalizedBasename;
-    } else if (normalizedPath.endsWith(".data")) {
-      normalizedPath = normalizedPath.replace(/\.data$/, "");
-    }
-    if (stripBasename(normalizedPath, normalizedBasename) !== "/" && normalizedPath.endsWith("/")) {
-      normalizedPath = normalizedPath.slice(0, -1);
+    if (build.future.unstable_trailingSlashAwareDataRequests) {
+      if (normalizedPath.endsWith("/_.data")) {
+        normalizedPath = normalizedPath.replace(/_.data$/, "");
+      } else {
+        normalizedPath = normalizedPath.replace(/\.data$/, "");
+      }
+    } else {
+      if (stripBasename(normalizedPath, normalizedBasename) === "/_root.data") {
+        normalizedPath = normalizedBasename;
+      } else if (normalizedPath.endsWith(".data")) {
+        normalizedPath = normalizedPath.replace(/\.data$/, "");
+      }
+      if (stripBasename(normalizedPath, normalizedBasename) !== "/" && normalizedPath.endsWith("/")) {
+        normalizedPath = normalizedPath.slice(0, -1);
+      }
     }
     let isSpaMode = getBuildTimeHeader(request, "X-React-Router-SPA-Mode") === "yes";
     if (!build.ssr) {
@@ -1303,6 +1395,12 @@ async function handleSingleFetchRequest(serverMode, build, staticHandler, reques
 }
 async function handleDocumentRequest(serverMode, build, staticHandler, request, loadContext, handleError, isSpaMode, criticalCss) {
   try {
+    if (request.method === "POST") {
+      throwIfPotentialCSRFAttack(
+        request.headers,
+        Array.isArray(build.allowedActionOrigins) ? build.allowedActionOrigins : []
+      );
+    }
     let result = await staticHandler.query(request, {
       requestContext: loadContext,
       generateMiddlewareResponse: build.future.v8_middleware ? async (query) => {
@@ -2274,7 +2372,9 @@ function RSCStaticRouter({ getPayload }) {
       // These flags have no runtime impact so can always be false.  If we add
       // flags that drive runtime behavior they'll need to be proxied through.
       v8_middleware: false,
-      unstable_subResourceIntegrity: false
+      unstable_subResourceIntegrity: false,
+      unstable_trailingSlashAwareDataRequests: true
+      // always on for RSC
     },
     isSpaMode: false,
     ssr: true,