redirect a POST rsc-x-component / fetch fails with CORS

[aheissenberger]

Describe the bug

I have a middleware which will redirect to my OAuth API to handle the OAuth Flow.
But the redirect from the middleware will not lead to a change of the document url. The ClientProvider will fetch and follow the redirect until the url is not part of the domain and fail with a CORS policy error.

A solution might be to add a third parameter object to redirect() function to force the redirect to be done as a real location change in the browser by returning a redirect as a special rsc object which is interpreted by ClientProvider and issues a change of the location in the browser. The current problem comes from the fact that a real http redirect response object is issued and handled by the fetch request in ClientProvider.

Example:
redirect('/api/login',302,{force: 'native'})

The only working solution currently is not to replace the <Link> component with <a> tag which fixes some cases but not all.

Reproduction

No response

Steps to reproduce

No response

System Info

System:
    OS: macOS 15.7.1
    CPU: (12) arm64 Apple M4 Pro
    Memory: 1.96 GB / 48.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 25.2.1 - /opt/homebrew/bin/node
    npm: 11.6.2 - /opt/homebrew/bin/npm
    pnpm: 10.22.0 - /opt/homebrew/bin/pnpm
  Browsers:
    Chrome: 142.0.7444.176
    Safari: 26.0.1
  npmPackages:
    @lazarv/react-server: 0.0.0-experimental-600622d-20251109-6c5a6bee => 0.0.0-experimental-600622d-20251109-6c5a6bee

Used Package Manager

pnpm

Logs

No response

Validations

• Follow our Code of Conduct
• Read the Contributing Guidelines.
• Read the docs.
• Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
• Check that this is a concrete bug. For Q&A open a GitHub Discussion.
• The provided reproduction is a minimal reproducible example of the bug.

[lazarv]

I see the missing point here.
The framework treats all redirect URLs as internal navigation, even when you use an external URL.
The first step would be to heuristically recognize external URLs and perform a proper browser location change in those cases so that you can use redirect() for OAuth redirects by default.
But to enable more a controlled redirect behavior, I would suggest having the new parameter for the redirect() as this:

type RedirectKind =
  | 'navigate'  // internal RSC routing
  | 'location'  // browser-level navigation (window.location)
  | 'push'      // history.pushState(...)
  | 'replace'   // history.replaceState(...)
  | 'error';    // throw error

function redirect(
  url: string,
  status?: number,
  kind?: RedirectKind
): void;

The kind would be added to the error thrown by the redirect, so the client can use it to drive the redirect behavior in the browser. Defaults to navigate.

[aheissenberger]

I found some an additional edge cases with the <Link to=""/> x-componet POST request and filer-router.

1.) to= path does not exist on server
Client <link to="/does-not-exist"/>. A click on the link will create a x-componet POST which results in a 404 HTTP response. When the path of the link does not exist on the server the fallback middleware will return a normal 404 response which is not handled after the fetch in

react-server/packages/react-server/client/ClientProvider.jsx

Line 701 in 5d0671e

const { body } = response;

. The reason is this file-router middleware

react-server/packages/react-server/lib/plugins/file-router/entrypoint.jsx

Line 243 in 5d0671e

() => {

2.) redirect to external url in middleware
Client <link to="/redirect-external"/>. A click on the link will create a x-componet POST which calls redirect("https://react-server.dev"); in a middleware and using file-router will return a 404 response - currently not handled

3.) redirect to api to external url
Client <link to="/redirect-external"/>. A click on the link will create a x-componet POST which calls redirect("/api-redirect"); in a middleware. This will execute the existing API on the backend and using file-router will return a 404 response - currently not handled

Here is the file-router expanded with more tests and the implementation of handling none 2xx responses.
aheissenberger@cc24997

I would suggest to change the handling of redirect when called inside a x-component request:

1. when path is not found, return default 404 page or a defined custom 404 page
2. when path is a local API path, return a x-component which leads to a redirect to this api in the browser
3. when redirect contains a url and not a path, return a x-component which leads to a redirect to this url in the browser

With this changes, there should be no need to add the kind property