rwsdk 1.2.1 → 1.2.3

package/dist/runtime/register/methodEnforcer.d.ts

@@ -3,6 +3,7 @@ type DecodeReply = (data: string | FormData, moduleMap: null) => Promise<unknown
 export interface RscActionHandlerDeps {
     getServerModuleExport: GetServerModuleExport;
     decodeReply: DecodeReply;
+    allowedOrigins?: readonly string[];
 }
-export declare function rscActionHandler(req: Request, { getServerModuleExport, decodeReply }: RscActionHandlerDeps): Promise<unknown>;
+export declare function rscActionHandler(req: Request, { getServerModuleExport, decodeReply, allowedOrigins }: RscActionHandlerDeps): Promise<unknown>;
 export {};

package/dist/runtime/register/methodEnforcer.js

@@ -2,9 +2,45 @@
 // The real getServerModuleExport and decodeReply require the react-server environment
 // (virtual module lookup, react-server-dom-webpack), so we accept them as injected
 // dependencies. worker.ts passes the real implementations; tests pass fakes.
-export async function rscActionHandler(req, { getServerModuleExport, decodeReply }) {
+// context(justinvdm, 2026-04-20): Origin validation for non-GET action requests.
+// Method enforcement alone does not distinguish a legitimate same-origin POST
+// from a POST driven by a same-site sibling origin (e.g. sibling subdomain,
+// another localhost port). SameSite=Lax cookies are attached in both cases, and
+// the action request's Content-Type is CORS-safelisted, so no preflight fires.
+// We require the request's Origin header to match the app's own origin, unless
+// the caller origin is listed in allowedOrigins.
+function validateSameOrigin(req, allowedOrigins) {
+    const origin = req.headers.get("Origin");
+    if (!origin) {
+        return {
+            valid: false,
+            response: new Response("Missing Origin header", { status: 403 }),
+        };
+    }
+    const selfOrigin = new URL(req.url).origin;
+    if (origin === selfOrigin) {
+        return { valid: true };
+    }
+    if (allowedOrigins && allowedOrigins.includes(origin)) {
+        return { valid: true };
+    }
+    return {
+        valid: false,
+        response: new Response("Origin not allowed", { status: 403 }),
+    };
+}
+export async function rscActionHandler(req, { getServerModuleExport, decodeReply, allowedOrigins }) {
     const url = new URL(req.url);
     const contentType = req.headers.get("content-type");
+    // context(justinvdm, 2026-04-20): Enforce Origin/Host match for non-GET action
+    // requests. GET (serverQuery) is expected to be idempotent and is not subject
+    // to this check.
+    if (req.method !== "GET") {
+        const originCheck = validateSameOrigin(req, allowedOrigins);
+        if (!originCheck.valid) {
+            return originCheck.response;
+        }
+    }
     let args = [];
     if (req.method === "GET") {
         const argsParam = url.searchParams.get("args");

package/dist/runtime/register/methodEnforcer.test.js

@@ -6,15 +6,30 @@ function createDeps(action) {
         decodeReply: vi.fn().mockResolvedValue([]),
     };
 }
-function makeRequest(url, method, body) {
+function makeRequest(url, method, body, extraHeaders) {
     const init = { method };
+    const headers = {};
     if (body !== undefined) {
         init.body = body;
-        init.headers = { "content-type": "application/json" };
+        headers["content-type"] = "application/json";
+    }
+    if (extraHeaders) {
+        Object.assign(headers, extraHeaders);
+    }
+    if (Object.keys(headers).length > 0) {
+        init.headers = headers;
     }
     return new Request(url, init);
 }
 const ACTION_URL = "https://app.test/page?__rsc_action_id=%2Factions.tsx%23doThing";
+const SELF_ORIGIN = "https://app.test";
+function postWithOrigin(origin) {
+    const headers = {};
+    if (origin !== undefined) {
+        headers["Origin"] = origin;
+    }
+    return makeRequest(ACTION_URL, "POST", "[]", headers);
+}
 describe("rscActionHandler method enforcement", () => {
     it("rejects GET for an action with method POST", async () => {
         const action = Object.assign(vi.fn(), { method: "POST" });
@@ -30,7 +45,7 @@ describe("rscActionHandler method enforcement", () => {
     it("rejects POST for an action with method GET", async () => {
         const action = Object.assign(vi.fn(), { method: "GET" });
         const deps = createDeps(action);
-        const req = makeRequest(ACTION_URL, "POST", "[]");
+        const req = makeRequest(ACTION_URL, "POST", "[]", { Origin: SELF_ORIGIN });
         const result = await rscActionHandler(req, deps);
         expect(result).toBeInstanceOf(Response);
         const res = result;
@@ -43,7 +58,7 @@ describe("rscActionHandler method enforcement", () => {
             method: "POST",
         });
         const deps = createDeps(action);
-        const req = makeRequest(ACTION_URL, "POST", "[]");
+        const req = makeRequest(ACTION_URL, "POST", "[]", { Origin: SELF_ORIGIN });
         const result = await rscActionHandler(req, deps);
         expect(result).toBe("ok");
         expect(action).toHaveBeenCalled();
@@ -61,7 +76,9 @@ describe("rscActionHandler method enforcement", () => {
     it("defaults to POST for actions without .method property", async () => {
         const action = vi.fn().mockReturnValue("ok");
         const deps = createDeps(action);
-        const postReq = makeRequest(ACTION_URL, "POST", "[]");
+        const postReq = makeRequest(ACTION_URL, "POST", "[]", {
+            Origin: SELF_ORIGIN,
+        });
         const postResult = await rscActionHandler(postReq, deps);
         expect(postResult).toBe("ok");
         expect(action).toHaveBeenCalled();
@@ -120,9 +137,101 @@ describe("rscActionHandler method enforcement", () => {
             getServerModuleExport: vi.fn().mockResolvedValue(action),
             decodeReply: vi.fn().mockResolvedValue(["decoded-arg"]),
         };
-        const req = makeRequest(ACTION_URL, "POST", "serialized-body");
+        const req = makeRequest(ACTION_URL, "POST", "serialized-body", {
+            Origin: SELF_ORIGIN,
+        });
         await rscActionHandler(req, deps);
         expect(deps.decodeReply).toHaveBeenCalledWith("serialized-body", null);
         expect(action).toHaveBeenCalledWith("decoded-arg");
     });
 });
+describe("rscActionHandler origin enforcement", () => {
+    it("allows POST whose Origin matches the request's own origin", async () => {
+        const action = Object.assign(vi.fn().mockReturnValue("ok"), {
+            method: "POST",
+        });
+        const deps = createDeps(action);
+        const req = postWithOrigin(SELF_ORIGIN);
+        const result = await rscActionHandler(req, deps);
+        expect(result).toBe("ok");
+        expect(action).toHaveBeenCalled();
+    });
+    it("rejects POST from a different origin with 403", async () => {
+        const action = Object.assign(vi.fn(), { method: "POST" });
+        const deps = createDeps(action);
+        const req = postWithOrigin("https://evil.test");
+        const result = await rscActionHandler(req, deps);
+        expect(result).toBeInstanceOf(Response);
+        expect(result.status).toBe(403);
+        expect(action).not.toHaveBeenCalled();
+    });
+    it("rejects POST from a same-site sibling subdomain with 403", async () => {
+        // context(justinvdm, 2026-04-20): The exact scenario in the advisory —
+        // Origin sits under the same registrable domain so SameSite=Lax cookies
+        // are attached, but the Origin header does not match the app's own origin.
+        const action = Object.assign(vi.fn(), { method: "POST" });
+        const deps = createDeps(action);
+        const req = postWithOrigin("https://evil.test.example");
+        const result = await rscActionHandler(req, deps);
+        expect(result).toBeInstanceOf(Response);
+        expect(result.status).toBe(403);
+        expect(action).not.toHaveBeenCalled();
+    });
+    it("rejects POST missing the Origin header with 403", async () => {
+        const action = Object.assign(vi.fn(), { method: "POST" });
+        const deps = createDeps(action);
+        const req = postWithOrigin(undefined);
+        const result = await rscActionHandler(req, deps);
+        expect(result).toBeInstanceOf(Response);
+        expect(result.status).toBe(403);
+        expect(action).not.toHaveBeenCalled();
+    });
+    it("allows POST from an origin in the allowedOrigins list", async () => {
+        const action = Object.assign(vi.fn().mockReturnValue("ok"), {
+            method: "POST",
+        });
+        const deps = {
+            ...createDeps(action),
+            allowedOrigins: ["https://trusted.example"],
+        };
+        const req = postWithOrigin("https://trusted.example");
+        const result = await rscActionHandler(req, deps);
+        expect(result).toBe("ok");
+        expect(action).toHaveBeenCalled();
+    });
+    it("rejects POST from an origin not in the allowedOrigins list", async () => {
+        const action = Object.assign(vi.fn(), { method: "POST" });
+        const deps = {
+            ...createDeps(action),
+            allowedOrigins: ["https://trusted.example"],
+        };
+        const req = postWithOrigin("https://not-trusted.example");
+        const result = await rscActionHandler(req, deps);
+        expect(result).toBeInstanceOf(Response);
+        expect(result.status).toBe(403);
+        expect(action).not.toHaveBeenCalled();
+    });
+    it("does not apply the origin check to GET (serverQuery) requests", async () => {
+        // context(justinvdm, 2026-04-20): GET is expected to be idempotent and is
+        // out of scope for the origin check. A top-level GET navigation from
+        // another origin does not send an Origin header at all, so enforcing here
+        // would reject legitimate navigations.
+        const action = Object.assign(vi.fn().mockReturnValue("data"), {
+            method: "GET",
+        });
+        const deps = createDeps(action);
+        const req = makeRequest(ACTION_URL + "&args=%5B%5D", "GET");
+        const result = await rscActionHandler(req, deps);
+        expect(result).toBe("data");
+        expect(action).toHaveBeenCalled();
+    });
+    it("runs origin check before invoking the action", async () => {
+        const action = Object.assign(vi.fn(), { method: "POST" });
+        const deps = createDeps(action);
+        const req = postWithOrigin("https://evil.test");
+        await rscActionHandler(req, deps);
+        expect(deps.getServerModuleExport).not.toHaveBeenCalled();
+        expect(deps.decodeReply).not.toHaveBeenCalled();
+        expect(action).not.toHaveBeenCalled();
+    });
+});

package/dist/runtime/register/worker.d.ts

@@ -1,4 +1,7 @@
 export declare function registerServerReference(action: Function, id: string, name: string): Function;
 export declare function registerClientReference<Target extends Record<string, unknown>>(ssrModule: Target, id: string, exportName: string): {};
 export declare function __smokeTestActionHandler(timestamp?: number): Promise<unknown>;
+export declare function createRscActionHandler(options?: {
+    allowedOrigins?: readonly string[];
+}): (req: Request) => Promise<unknown>;
 export declare function rscActionHandler(req: Request): Promise<unknown>;

package/dist/runtime/register/worker.js

@@ -48,6 +48,13 @@ export async function __smokeTestActionHandler(timestamp) {
     await new Promise((resolve) => setTimeout(resolve, 0));
     return { status: "ok", timestamp };
 }
+export function createRscActionHandler(options = {}) {
+    return (req) => rscActionHandlerImpl(req, {
+        getServerModuleExport,
+        decodeReply,
+        allowedOrigins: options.allowedOrigins,
+    });
+}
 export async function rscActionHandler(req) {
     return rscActionHandlerImpl(req, { getServerModuleExport, decodeReply });
 }

package/dist/runtime/worker.d.ts

@@ -12,7 +12,10 @@ export type AppDefinition<Routes extends readonly Route<any>[], T extends Reques
     fetch: (request: Request, env: Env, cf: ExecutionContext) => Promise<Response>;
     __rwRoutes: Routes;
 };
-export declare const defineApp: <T extends RequestInfo = RequestInfo<any, DefaultAppContext>, Routes extends readonly Route<T>[] = readonly Route<T>[]>(routes: Routes) => AppDefinition<Routes, T>;
+export interface DefineAppOptions {
+    allowedOrigins?: readonly string[];
+}
+export declare const defineApp: <T extends RequestInfo = RequestInfo<any, DefaultAppContext>, Routes extends readonly Route<T>[] = readonly Route<T>[]>(routes: Routes, options?: DefineAppOptions) => AppDefinition<Routes, T>;
 export declare const DefaultDocument: React.FC<{
     children: React.ReactNode;
 }>;

package/dist/runtime/worker.js

@@ -4,14 +4,17 @@ import { renderDocumentHtmlStream } from "./render/renderDocumentHtmlStream";
 import { renderToRscStream } from "./render/renderToRscStream";
 import { injectRSCPayload } from "rsc-html-stream/server";
 import { ErrorResponse } from "./error";
-import { rscActionHandler } from "./register/worker";
+import { createRscActionHandler } from "./register/worker";
 import { getRequestInfo, runWithRequestInfo, runWithRequestInfoOverrides, } from "./requestInfo/worker";
 import { ssrWebpackRequire } from "./imports/worker";
 import { defineRoutes } from "./lib/router";
 import { generateNonce } from "./lib/utils";
 export * from "./requestInfo/types";
-export const defineApp = (routes) => {
+export const defineApp = (routes, options = {}) => {
     const router = defineRoutes(routes);
+    const rscActionHandler = createRscActionHandler({
+        allowedOrigins: options.allowedOrigins,
+    });
     return {
         __rwRoutes: routes,
         fetch: async (request, env, cf) => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "rwsdk",
-  "version": "1.2.1",
+  "version": "1.2.3",
   "description": "Build fast, server-driven webapps on Cloudflare with SSR, RSC, and realtime",
   "type": "module",
   "bin": {