fix allowedDevOrigins for no-cors requests

[ztanner]

This PR makes configured allowedDevOrigins apply to cross-site no-cors dev asset requests. When browsers omit Origin for subresource loads, the dev guard now falls back to Referer so explicit allowlisted hosts can load /_next/* resources in development.

Previously, when allowedDevOrigins was configured, cross-site no-cors requests to internal Next.js dev resources were still blocked even for allowlisted hosts, because that code path never consulted the allowlist.

[ztanner]

• improve allowedDevOrigins error #91521
• block disallowed dev origins by default #91507
• fix allowedDevOrigins for no-cors requests #91506 👈 (View in Graphite)
• canary

This stack of pull requests is managed by Graphite. Learn more about stacking.

[nextjs-bot]

Tests Passed

[nextjs-bot]

Stats from current PR

✅ No significant changes detected

📊 All Metrics

📖 Metrics Glossary

Dev Server Metrics:

• Listen = TCP port starts accepting connections
• First Request = HTTP server returns successful response
• Cold = Fresh build (no cache)
• Warm = With cached build artifacts

Build Metrics:

• Fresh = Clean build (no .next directory)
• Cached = With existing .next directory

Change Thresholds:

• Time: Changes < 50ms AND < 10%, OR < 2% are insignificant
• Size: Changes < 1KB AND < 1% are insignificant
• All other changes are flagged to catch regressions

⚡ Dev Server

Metric	Canary	PR	Change	Trend
Cold (Listen)	455ms	455ms	✓	▁▁▇▆█
Cold (Ready in log)	435ms	434ms	✓	▁▁▆▆█
Cold (First Request)	1.124s	1.102s	✓	▁▁▅▅█
Warm (Listen)	456ms	457ms	✓	▁▁▆▆█
Warm (Ready in log)	441ms	439ms	✓	▁▁▆▆█
Warm (First Request)	339ms	338ms	✓	▁▂▆▆█

📦 Dev Server (Webpack) (Legacy)

📦 Dev Server (Webpack)

Metric	Canary	PR	Change	Trend
Cold (Listen)	456ms	456ms	✓	▄▁▁▁▁
Cold (Ready in log)	439ms	438ms	✓	▁▁▁▂▂
Cold (First Request)	1.953s	1.970s	✓	▁▁▂▁▁
Warm (Listen)	457ms	456ms	✓	▁▁▁▁▁
Warm (Ready in log)	439ms	440ms	✓	▁▁▄▃▃
Warm (First Request)	1.958s	1.971s	✓	▁▁▂▁▂

⚡ Production Builds

Metric	Canary	PR	Change	Trend
Fresh Build	3.820s	3.771s	✓	▁▁▅▅█
Cached Build	3.884s	3.912s	✓	▁▁▅▅█

📦 Production Builds (Webpack) (Legacy)

📦 Production Builds (Webpack)

Metric	Canary	PR	Change	Trend
Fresh Build	14.340s	14.392s	✓	▃▁▃▁▁
Cached Build	14.494s	14.504s	✓	▃▁▃▁▁
node_modules Size	483 MB	483 MB	✓	▁▁▁▁▁

📦 Bundle Sizes

Bundle Sizes

⚡ Turbopack

Client

Main Bundles

	Canary	PR	Change
0~lwfcrlb4v_9.css gzip	115 B	115 B	✓
00h0nz7r436~l.js gzip	13.3 kB	N/A	-
019g6dx8~tg3j.js gzip	12.9 kB	N/A	-
01hyw5k2pektr.js gzip	165 B	N/A	-
02ku7edzc_wf7.js gzip	450 B	N/A	-
03.jt.yij0sp5.js gzip	156 B	N/A	-
03~yq9q893hmn.js gzip	39.4 kB	39.4 kB	✓
07xoeani1nvm3.js gzip	160 B	N/A	-
092lcb3fqrrf9.js gzip	8.52 kB	N/A	-
0aj~xs1l1g8tg.js gzip	8.53 kB	N/A	-
0da_pb9kzb2kn.js gzip	155 B	N/A	-
0e8h5uad658lb.js gzip	158 B	N/A	-
0eg78sqvyqa0_.js gzip	13.7 kB	N/A	-
0er9hj8kfeon5.js gzip	159 B	N/A	-
0h35gmp9u328z.js gzip	8.54 kB	N/A	-
0h5_6bundp-th.js gzip	158 B	N/A	-
0h6fkavebp.iz.js gzip	8.47 kB	N/A	-
0hz76p1ivapc..js gzip	156 B	N/A	-
0ino_yf1k3h6k.js gzip	10.4 kB	N/A	-
0jhm6jhdqmpjo.js gzip	159 B	N/A	-
0jsi4egukhfz5.js gzip	7.61 kB	N/A	-
0lvs-p8c_wsxr.js gzip	164 B	N/A	-
0mg3n71n3apfm.js gzip	158 B	N/A	-
0moy~uao4dl.m.js gzip	9.19 kB	N/A	-
0q50rtpusjy90.js gzip	2.28 kB	N/A	-
0smgy2grrrlka.js gzip	8.58 kB	N/A	-
0t1dzhdfh0txh.js gzip	215 B	215 B	✓
0vsp1fl2.z4.s.js gzip	65.7 kB	N/A	-
0vt7pofxnk8in.js gzip	10.1 kB	N/A	-
0xn4~kh85i1yl.js gzip	158 B	N/A	-
0zid7o0-vupvp.js gzip	225 B	N/A	-
10.eoxjin7rtu.js gzip	170 B	N/A	-
11yo3xfd6b147.js gzip	12.9 kB	N/A	-
13.84hqxl_1p7.js gzip	9.76 kB	N/A	-
14_hwphcs58-s.js gzip	48.6 kB	N/A	-
1554wr-t7p6z-.js gzip	8.55 kB	N/A	-
15tjst79~qy3_.js gzip	1.46 kB	N/A	-
15z_v00ne4ud0.js gzip	8.47 kB	N/A	-
16bmw2cenxzht.js gzip	70.8 kB	N/A	-
17d_m3p4j9w6r.js gzip	5.62 kB	N/A	-
17yu~3yiu7d2m.js gzip	8.52 kB	N/A	-
turbopack-0...ei_3.js gzip	4.16 kB	N/A	-
turbopack-0~..g49a.js gzip	4.16 kB	N/A	-
turbopack-00...sj7.js gzip	4.16 kB	N/A	-
turbopack-01..wb-f.js gzip	4.16 kB	N/A	-
turbopack-0a..4j8v.js gzip	4.16 kB	N/A	-
turbopack-0a..vony.js gzip	4.16 kB	N/A	-
turbopack-0b..apy9.js gzip	4.16 kB	N/A	-
turbopack-0e..1hd9.js gzip	4.14 kB	N/A	-
turbopack-0h..mfr..js gzip	4.16 kB	N/A	-
turbopack-0j..r67w.js gzip	4.16 kB	N/A	-
turbopack-0o..wfza.js gzip	4.17 kB	N/A	-
turbopack-0o..-a.u.js gzip	4.16 kB	N/A	-
turbopack-14..r8af.js gzip	4.16 kB	N/A	-
turbopack-17..-zsp.js gzip	4.16 kB	N/A	-
0_.49f9yku.5j.js gzip	N/A	48.6 kB	-
0.trf7cy7lex2.js gzip	N/A	65.7 kB	-
0161xcklk666_.js gzip	N/A	70.8 kB	-
02~tmb04td02o.js gzip	N/A	152 B	-
03t__~.5lvgeu.js gzip	N/A	5.62 kB	-
04.6z6~bk0ba8.js gzip	N/A	7.6 kB	-
04d6ll75jqx3r.js gzip	N/A	9.19 kB	-
0583exyh-yhc7.js gzip	N/A	9.76 kB	-
05cxp9v1x.0bh.js gzip	N/A	157 B	-
072lv63r8dcz~.js gzip	N/A	8.58 kB	-
07k6dcww5s4pu.js gzip	N/A	13.7 kB	-
0ar1~bwpezfgw.js gzip	N/A	13.3 kB	-
0c99mq1ez2bke.js gzip	N/A	450 B	-
0cq-cmde_ws6u.js gzip	N/A	8.47 kB	-
0d8iwxpr_c-9..js gzip	N/A	158 B	-
0fwf102w10o9~.js gzip	N/A	8.52 kB	-
0gtmn.q_j1v5r.js gzip	N/A	10.4 kB	-
0h5~v-tahitcf.js gzip	N/A	10.1 kB	-
0ieyqrsatb5uz.js gzip	N/A	156 B	-
0liq8-ssf-7~s.js gzip	N/A	157 B	-
0mak3bd2_udgw.js gzip	N/A	157 B	-
0nclq9z6yzzm5.js gzip	N/A	1.46 kB	-
0nzumcogektg7.js gzip	N/A	8.55 kB	-
0q~84t.qzymmx.js gzip	N/A	156 B	-
0s.c-cn5eebrx.js gzip	N/A	8.47 kB	-
0s96lcgxburvc.js gzip	N/A	157 B	-
0tna7lg6q4zne.js gzip	N/A	12.9 kB	-
0votdfxr5fb5u.js gzip	N/A	2.28 kB	-
0x3fv.e4cu7hi.js gzip	N/A	162 B	-
0ykl9bs_qj.5..js gzip	N/A	8.52 kB	-
0zc4t5jwq51a_.js gzip	N/A	169 B	-
0zfen0tnxp4gh.js gzip	N/A	8.55 kB	-
0zu.6a1g298hi.js gzip	N/A	155 B	-
10wkq1h9jzkg..js gzip	N/A	225 B	-
11saksln_yfor.js gzip	N/A	159 B	-
12rby6d-jhpsx.js gzip	N/A	156 B	-
149ndfh8zfcaz.js gzip	N/A	8.53 kB	-
15gkb_10omqgr.js gzip	N/A	13 kB	-
turbopack-0~..k8oj.js gzip	N/A	4.16 kB	-
turbopack-00..ao~-.js gzip	N/A	4.16 kB	-
turbopack-01..w7k1.js gzip	N/A	4.16 kB	-
turbopack-04..tn7y.js gzip	N/A	4.17 kB	-
turbopack-0i..66vj.js gzip	N/A	4.16 kB	-
turbopack-0l..zyz-.js gzip	N/A	4.16 kB	-
turbopack-0t..lwh-.js gzip	N/A	4.16 kB	-
turbopack-0w..038..js gzip	N/A	4.16 kB	-
turbopack-10.._3j1.js gzip	N/A	4.16 kB	-
turbopack-12..ghjw.js gzip	N/A	4.16 kB	-
turbopack-15..9k9z.js gzip	N/A	4.14 kB	-
turbopack-17..5jmc.js gzip	N/A	4.15 kB	-
turbopack-17..u1co.js gzip	N/A	4.16 kB	-
turbopack-18..~69l.js gzip	N/A	4.16 kB	-
Total	463 kB	463 kB	✅ -64 B

Server

Middleware

	Canary	PR	Change
middleware-b..fest.js gzip	712 B	714 B	✓
Total	712 B	714 B	⚠️ +2 B

Build Details

Build Manifests

	Canary	PR	Change
_buildManifest.js gzip	430 B	427 B	✓
Total	430 B	427 B	✅ -3 B

📦 Webpack

Client

Main Bundles

	Canary	PR	Change
5528-HASH.js gzip	5.54 kB	N/A	-
6280-HASH.js gzip	60.4 kB	N/A	-
6335.HASH.js gzip	169 B	N/A	-
912-HASH.js gzip	4.59 kB	N/A	-
e8aec2e4-HASH.js gzip	62.7 kB	N/A	-
framework-HASH.js gzip	59.7 kB	59.7 kB	✓
main-app-HASH.js gzip	256 B	254 B	✓
main-HASH.js gzip	39.2 kB	39.2 kB	✓
webpack-HASH.js gzip	1.68 kB	1.68 kB	✓
262-HASH.js gzip	N/A	4.59 kB	-
2889.HASH.js gzip	N/A	169 B	-
5602-HASH.js gzip	N/A	5.55 kB	-
6948ada0-HASH.js gzip	N/A	62.7 kB	-
9544-HASH.js gzip	N/A	61.1 kB	-
Total	234 kB	235 kB	⚠️ +672 B

Polyfills

	Canary	PR	Change
polyfills-HASH.js gzip	39.4 kB	39.4 kB	✓
Total	39.4 kB	39.4 kB	✓

Pages

	Canary	PR	Change
_app-HASH.js gzip	194 B	194 B	✓
_error-HASH.js gzip	183 B	180 B	🟢 3 B (-2%)
css-HASH.js gzip	331 B	330 B	✓
dynamic-HASH.js gzip	1.81 kB	1.81 kB	✓
edge-ssr-HASH.js gzip	256 B	256 B	✓
head-HASH.js gzip	351 B	352 B	✓
hooks-HASH.js gzip	384 B	383 B	✓
image-HASH.js gzip	580 B	581 B	✓
index-HASH.js gzip	260 B	260 B	✓
link-HASH.js gzip	2.51 kB	2.51 kB	✓
routerDirect..HASH.js gzip	320 B	319 B	✓
script-HASH.js gzip	386 B	386 B	✓
withRouter-HASH.js gzip	315 B	315 B	✓
1afbb74e6ecf..834.css gzip	106 B	106 B	✓
Total	7.98 kB	7.98 kB	✅ -1 B

Server

Edge SSR

	Canary	PR	Change
edge-ssr.js gzip	125 kB	125 kB	✓
page.js gzip	269 kB	268 kB	✓
Total	394 kB	393 kB	✅ -291 B

Middleware

	Canary	PR	Change
middleware-b..fest.js gzip	620 B	615 B	✓
middleware-r..fest.js gzip	156 B	155 B	✓
middleware.js gzip	44 kB	44.2 kB	✓
edge-runtime..pack.js gzip	842 B	842 B	✓
Total	45.6 kB	45.8 kB	⚠️ +140 B

Build Details

Build Manifests

	Canary	PR	Change
_buildManifest.js gzip	715 B	718 B	✓
Total	715 B	718 B	⚠️ +3 B

Build Cache

	Canary	PR	Change
0.pack gzip	4.27 MB	4.27 MB	🟢 5.22 kB (0%)
index.pack gzip	110 kB	110 kB	✓
index.pack.old gzip	109 kB	110 kB	✓
Total	4.49 MB	4.49 MB	✅ -4.77 kB

🔄 Shared (bundler-independent)

Runtimes

	Canary	PR	Change
app-page-exp...dev.js gzip	333 kB	333 kB	✓
app-page-exp..prod.js gzip	181 kB	181 kB	✓
app-page-tur...dev.js gzip	333 kB	333 kB	✓
app-page-tur..prod.js gzip	181 kB	181 kB	✓
app-page-tur...dev.js gzip	329 kB	329 kB	✓
app-page-tur..prod.js gzip	179 kB	179 kB	✓
app-page.run...dev.js gzip	330 kB	330 kB	✓
app-page.run..prod.js gzip	179 kB	179 kB	✓
app-route-ex...dev.js gzip	76 kB	76 kB	✓
app-route-ex..prod.js gzip	51.7 kB	51.7 kB	✓
app-route-tu...dev.js gzip	76 kB	76 kB	✓
app-route-tu..prod.js gzip	51.7 kB	51.7 kB	✓
app-route-tu...dev.js gzip	75.6 kB	75.6 kB	✓
app-route-tu..prod.js gzip	51.5 kB	51.5 kB	✓
app-route.ru...dev.js gzip	75.6 kB	75.6 kB	✓
app-route.ru..prod.js gzip	51.5 kB	51.5 kB	✓
dist_client_...dev.js gzip	324 B	324 B	✓
dist_client_...dev.js gzip	326 B	326 B	✓
dist_client_...dev.js gzip	318 B	318 B	✓
dist_client_...dev.js gzip	317 B	317 B	✓
pages-api-tu...dev.js gzip	43.4 kB	43.4 kB	✓
pages-api-tu..prod.js gzip	33 kB	33 kB	✓
pages-api.ru...dev.js gzip	43.3 kB	43.3 kB	✓
pages-api.ru..prod.js gzip	33 kB	33 kB	✓
pages-turbo....dev.js gzip	52.7 kB	52.7 kB	✓
pages-turbo...prod.js gzip	38.6 kB	38.6 kB	✓
pages.runtim...dev.js gzip	52.7 kB	52.7 kB	✓
pages.runtim..prod.js gzip	38.6 kB	38.6 kB	✓
server.runti..prod.js gzip	62.4 kB	62.4 kB	✓
Total	2.95 MB	2.95 MB	⚠️ +2 B

📎 Tarball URL

https://vercel-packages.vercel.app/next/commits/b1c1094a6ac1260d44f437efc3b05f12b78dbdce/next

[ztanner]

Merge activity

• Mar 17, 8:57 PM UTC: A user started a stack merge that includes this pull request via Graphite.
• Mar 17, 8:57 PM UTC: @ztanner merged this pull request with Graphite.