block disallowed dev origins by default by ztanner · Pull Request #91507 · vercel/next.js

ztanner · 2026-03-17T14:33:19Z

This removes the warn-only default behavior and enforces the dev-origin guard by default. Cross-origin requests to internal dev resources now block unless they match the built-in local allowlist or an explicit allowedDevOrigins entry. The tests are expanded to cover default blocking, configured-but-not-allowlisted hosts, missing Referer in the no-cors path, and same-site requests without an Origin, and the docs are updated to match the new behavior.

ztanner · 2026-03-17T14:33:32Z

improve allowedDevOrigins error #91521
block disallowed dev origins by default #91507 👈 (View in Graphite)
fix allowedDevOrigins for no-cors requests #91506
canary

This stack of pull requests is managed by Graphite. Learn more about stacking.

nextjs-bot · 2026-03-17T14:43:16Z

Tests Passed

nextjs-bot · 2026-03-17T19:55:33Z

Stats from current PR

✅ No significant changes detected

📊 All Metrics

📖 Metrics Glossary

Dev Server Metrics:

Listen = TCP port starts accepting connections
First Request = HTTP server returns successful response
Cold = Fresh build (no cache)
Warm = With cached build artifacts

Build Metrics:

Fresh = Clean build (no .next directory)
Cached = With existing .next directory

Change Thresholds:

Time: Changes < 50ms AND < 10%, OR < 2% are insignificant
Size: Changes < 1KB AND < 1% are insignificant
All other changes are flagged to catch regressions

⚡ Dev Server

Metric	Canary	PR	Change	Trend
Cold (Listen)	455ms	455ms	✓	▆█▁▁▁
Cold (Ready in log)	438ms	440ms	✓	▆█▁▁▁
Cold (First Request)	1.165s	1.151s	✓	▅█▁▁▁
Warm (Listen)	457ms	457ms	✓	▆█▁▁▁
Warm (Ready in log)	442ms	442ms	✓	▆█▁▁▁
Warm (First Request)	342ms	341ms	✓	▆█▁▁▁

📦 Dev Server (Webpack) (Legacy)

📦 Dev Server (Webpack)

Metric	Canary	PR	Change	Trend
Cold (Listen)	456ms	455ms	✓	▁▁█▁▁
Cold (Ready in log)	440ms	440ms	✓	▂▂█▁▃
Cold (First Request)	1.887s	1.880s	✓	▁▁█▁▂
Warm (Listen)	456ms	456ms	✓	▁▁█▁▁
Warm (Ready in log)	439ms	439ms	✓	▂▂█▁▃
Warm (First Request)	1.901s	1.872s	✓	▁▂█▁▁

⚡ Production Builds

Metric	Canary	PR	Change	Trend
Fresh Build	3.783s	3.761s	✓	▅█▁▁▁
Cached Build	3.812s	3.686s	✓	▅█▁▁▁

📦 Production Builds (Webpack) (Legacy)

📦 Production Builds (Webpack)

Metric	Canary	PR	Change	Trend
Fresh Build	14.283s	14.386s	✓	▁▁█▁▁
Cached Build	14.480s	14.488s	✓	▁▁█▁▁
node_modules Size	483 MB	483 MB	✓	▁▁▁▁▁

📦 Bundle Sizes

Bundle Sizes

⚡ Turbopack

Client

Main Bundles

	Canary	PR	Change
0~lwfcrlb4v_9.css gzip	115 B	115 B	✓
00h0nz7r436~l.js gzip	13.3 kB	N/A	-
019g6dx8~tg3j.js gzip	12.9 kB	N/A	-
02ku7edzc_wf7.js gzip	450 B	N/A	-
03_qn3jc.c.if.js gzip	155 B	N/A	-
03~yq9q893hmn.js gzip	39.4 kB	39.4 kB	✓
05p.v~a0idamf.js gzip	157 B	N/A	-
08akqyn9tddop.js gzip	155 B	N/A	-
092lcb3fqrrf9.js gzip	8.52 kB	N/A	-
096ojkggp1~uj.js gzip	170 B	N/A	-
0aj~xs1l1g8tg.js gzip	8.53 kB	N/A	-
0eg78sqvyqa0_.js gzip	13.7 kB	N/A	-
0fa4llft9~nu8.js gzip	158 B	N/A	-
0h35gmp9u328z.js gzip	8.54 kB	N/A	-
0h6fkavebp.iz.js gzip	8.47 kB	N/A	-
0hzbjw9lvv3tg.js gzip	155 B	N/A	-
0i66_d4nicbyo.js gzip	157 B	N/A	-
0ino_yf1k3h6k.js gzip	10.4 kB	N/A	-
0jsi4egukhfz5.js gzip	7.61 kB	N/A	-
0macv4tje3an9.js gzip	159 B	N/A	-
0moy~uao4dl.m.js gzip	9.19 kB	N/A	-
0q50rtpusjy90.js gzip	2.28 kB	N/A	-
0smgy2grrrlka.js gzip	8.58 kB	N/A	-
0t1dzhdfh0txh.js gzip	215 B	215 B	✓
0vt7pofxnk8in.js gzip	10.1 kB	N/A	-
0zid7o0-vupvp.js gzip	225 B	N/A	-
0znvdan0rv.1l.js gzip	158 B	N/A	-
11yo3xfd6b147.js gzip	12.9 kB	N/A	-
12h1p.vvy5dpn.js gzip	161 B	N/A	-
13.84hqxl_1p7.js gzip	9.76 kB	N/A	-
14_hwphcs58-s.js gzip	48.6 kB	N/A	-
150hov40y-e20.js gzip	65.7 kB	N/A	-
1554wr-t7p6z-.js gzip	8.55 kB	N/A	-
15i08xky7obk7.js gzip	159 B	N/A	-
15tjst79~qy3_.js gzip	1.46 kB	N/A	-
15z_v00ne4ud0.js gzip	8.47 kB	N/A	-
16bmw2cenxzht.js gzip	70.8 kB	N/A	-
16djs0hsbzb3o.js gzip	156 B	N/A	-
17d_m3p4j9w6r.js gzip	5.62 kB	N/A	-
17waezdu~7dop.js gzip	162 B	N/A	-
17yu~3yiu7d2m.js gzip	8.52 kB	N/A	-
turbopack-0-..5od2.js gzip	4.16 kB	N/A	-
turbopack-0-..v0~j.js gzip	4.16 kB	N/A	-
turbopack-0-..ydx2.js gzip	4.16 kB	N/A	-
turbopack-0...0yh5.js gzip	4.16 kB	N/A	-
turbopack-0~..rwxr.js gzip	4.16 kB	N/A	-
turbopack-09..ihwe.js gzip	4.17 kB	N/A	-
turbopack-0a..nvyi.js gzip	4.16 kB	N/A	-
turbopack-0a..pv9r.js gzip	4.16 kB	N/A	-
turbopack-0d..uuri.js gzip	4.16 kB	N/A	-
turbopack-0e..1hd9.js gzip	4.14 kB	N/A	-
turbopack-0m..9i3j.js gzip	4.16 kB	N/A	-
turbopack-0t..1j7i.js gzip	4.16 kB	N/A	-
turbopack-0u..sbpa.js gzip	4.16 kB	N/A	-
turbopack-18..7bcg.js gzip	4.16 kB	N/A	-
0_.49f9yku.5j.js gzip	N/A	48.6 kB	-
0_cl~bd4xv7qq.js gzip	N/A	154 B	-
0_zucdt2.9nwv.js gzip	N/A	170 B	-
0161xcklk666_.js gzip	N/A	70.8 kB	-
02263xhx.kjvl.js gzip	N/A	156 B	-
03t__~.5lvgeu.js gzip	N/A	5.62 kB	-
03w5kc0p972.js gzip	N/A	153 B	-
04.6z6~bk0ba8.js gzip	N/A	7.6 kB	-
04d6ll75jqx3r.js gzip	N/A	9.19 kB	-
0583exyh-yhc7.js gzip	N/A	9.76 kB	-
06xmhhv667fde.js gzip	N/A	65.7 kB	-
072lv63r8dcz~.js gzip	N/A	8.58 kB	-
077ilr~jvv004.js gzip	N/A	151 B	-
07k6dcww5s4pu.js gzip	N/A	13.7 kB	-
0ar1~bwpezfgw.js gzip	N/A	13.3 kB	-
0c99mq1ez2bke.js gzip	N/A	450 B	-
0cq-cmde_ws6u.js gzip	N/A	8.47 kB	-
0d6fl17xl662a.js gzip	N/A	156 B	-
0f8ekbd742vkq.js gzip	N/A	155 B	-
0fwf102w10o9~.js gzip	N/A	8.52 kB	-
0gtmn.q_j1v5r.js gzip	N/A	10.4 kB	-
0h5~v-tahitcf.js gzip	N/A	10.1 kB	-
0jdxkyht7dcwi.js gzip	N/A	157 B	-
0nclq9z6yzzm5.js gzip	N/A	1.46 kB	-
0nzumcogektg7.js gzip	N/A	8.55 kB	-
0p0z5veb8xigp.js gzip	N/A	161 B	-
0s.c-cn5eebrx.js gzip	N/A	8.47 kB	-
0tna7lg6q4zne.js gzip	N/A	12.9 kB	-
0ua-sohqip-~a.js gzip	N/A	156 B	-
0votdfxr5fb5u.js gzip	N/A	2.28 kB	-
0w1mey6x9qmjg.js gzip	N/A	157 B	-
0ykl9bs_qj.5..js gzip	N/A	8.52 kB	-
0zfen0tnxp4gh.js gzip	N/A	8.55 kB	-
10wkq1h9jzkg..js gzip	N/A	225 B	-
13b6l.5jkw.yc.js gzip	N/A	155 B	-
13bn7vz3qakgv.js gzip	N/A	159 B	-
149ndfh8zfcaz.js gzip	N/A	8.53 kB	-
15gkb_10omqgr.js gzip	N/A	13 kB	-
turbopack-0~..2jf..js gzip	N/A	4.16 kB	-
turbopack-04..e4fb.js gzip	N/A	4.16 kB	-
turbopack-06..s-uy.js gzip	N/A	4.16 kB	-
turbopack-07..7wfu.js gzip	N/A	4.16 kB	-
turbopack-08.._ybc.js gzip	N/A	4.16 kB	-
turbopack-09..5v12.js gzip	N/A	4.18 kB	-
turbopack-0g..72xu.js gzip	N/A	4.16 kB	-
turbopack-0j..jaid.js gzip	N/A	4.16 kB	-
turbopack-0l.._yha.js gzip	N/A	4.16 kB	-
turbopack-0p..p6v6.js gzip	N/A	4.16 kB	-
turbopack-0t..1zpy.js gzip	N/A	4.16 kB	-
turbopack-10..0qzt.js gzip	N/A	4.16 kB	-
turbopack-13..esvd.js gzip	N/A	4.16 kB	-
turbopack-15..9k9z.js gzip	N/A	4.14 kB	-
Total	463 kB	463 kB	✅ -59 B

Server

Middleware

	Canary	PR	Change
middleware-b..fest.js gzip	711 B	712 B	✓
Total	711 B	712 B	⚠️ +1 B

Build Details

Build Manifests

	Canary	PR	Change
_buildManifest.js gzip	432 B	432 B	✓
Total	432 B	432 B	✓

📦 Webpack

Client

Main Bundles

	Canary	PR	Change
5528-HASH.js gzip	5.54 kB	N/A	-
6280-HASH.js gzip	60.4 kB	N/A	-
6335.HASH.js gzip	169 B	N/A	-
912-HASH.js gzip	4.59 kB	N/A	-
e8aec2e4-HASH.js gzip	62.7 kB	N/A	-
framework-HASH.js gzip	59.7 kB	59.7 kB	✓
main-app-HASH.js gzip	256 B	253 B	🟢 3 B (-1%)
main-HASH.js gzip	39.2 kB	39.2 kB	✓
webpack-HASH.js gzip	1.68 kB	1.68 kB	✓
262-HASH.js gzip	N/A	4.59 kB	-
2889.HASH.js gzip	N/A	169 B	-
5602-HASH.js gzip	N/A	5.55 kB	-
6948ada0-HASH.js gzip	N/A	62.7 kB	-
9544-HASH.js gzip	N/A	61.1 kB	-
Total	234 kB	235 kB	⚠️ +667 B

Polyfills

	Canary	PR	Change
polyfills-HASH.js gzip	39.4 kB	39.4 kB	✓
Total	39.4 kB	39.4 kB	✓

Pages

	Canary	PR	Change
_app-HASH.js gzip	194 B	194 B	✓
_error-HASH.js gzip	183 B	180 B	🟢 3 B (-2%)
css-HASH.js gzip	331 B	330 B	✓
dynamic-HASH.js gzip	1.81 kB	1.81 kB	✓
edge-ssr-HASH.js gzip	256 B	256 B	✓
head-HASH.js gzip	351 B	352 B	✓
hooks-HASH.js gzip	384 B	383 B	✓
image-HASH.js gzip	580 B	581 B	✓
index-HASH.js gzip	260 B	260 B	✓
link-HASH.js gzip	2.51 kB	2.51 kB	✓
routerDirect..HASH.js gzip	320 B	319 B	✓
script-HASH.js gzip	386 B	386 B	✓
withRouter-HASH.js gzip	315 B	315 B	✓
1afbb74e6ecf..834.css gzip	106 B	106 B	✓
Total	7.98 kB	7.98 kB	✅ -1 B

Server

Edge SSR

	Canary	PR	Change
edge-ssr.js gzip	125 kB	125 kB	✓
page.js gzip	269 kB	268 kB	✓
Total	394 kB	393 kB	✅ -337 B

Middleware

	Canary	PR	Change
middleware-b..fest.js gzip	619 B	615 B	✓
middleware-r..fest.js gzip	156 B	155 B	✓
middleware.js gzip	43.9 kB	44 kB	✓
edge-runtime..pack.js gzip	842 B	842 B	✓
Total	45.5 kB	45.6 kB	⚠️ +55 B

Build Details

Build Manifests

	Canary	PR	Change
_buildManifest.js gzip	715 B	718 B	✓
Total	715 B	718 B	⚠️ +3 B

Build Cache

	Canary	PR	Change
0.pack gzip	4.27 MB	4.27 MB	🟢 5.45 kB (0%)
index.pack gzip	110 kB	110 kB	✓
index.pack.old gzip	110 kB	110 kB	✓
Total	4.5 MB	4.49 MB	✅ -5.93 kB

🔄 Shared (bundler-independent)

Runtimes

	Canary	PR	Change
app-page-exp...dev.js gzip	333 kB	333 kB	✓
app-page-exp..prod.js gzip	181 kB	181 kB	✓
app-page-tur...dev.js gzip	333 kB	333 kB	✓
app-page-tur..prod.js gzip	181 kB	181 kB	✓
app-page-tur...dev.js gzip	329 kB	329 kB	✓
app-page-tur..prod.js gzip	179 kB	179 kB	✓
app-page.run...dev.js gzip	330 kB	330 kB	✓
app-page.run..prod.js gzip	179 kB	179 kB	✓
app-route-ex...dev.js gzip	76 kB	76 kB	✓
app-route-ex..prod.js gzip	51.7 kB	51.7 kB	✓
app-route-tu...dev.js gzip	76 kB	76 kB	✓
app-route-tu..prod.js gzip	51.7 kB	51.7 kB	✓
app-route-tu...dev.js gzip	75.6 kB	75.6 kB	✓
app-route-tu..prod.js gzip	51.5 kB	51.5 kB	✓
app-route.ru...dev.js gzip	75.6 kB	75.6 kB	✓
app-route.ru..prod.js gzip	51.5 kB	51.5 kB	✓
dist_client_...dev.js gzip	324 B	324 B	✓
dist_client_...dev.js gzip	326 B	326 B	✓
dist_client_...dev.js gzip	318 B	318 B	✓
dist_client_...dev.js gzip	317 B	317 B	✓
pages-api-tu...dev.js gzip	43.4 kB	43.4 kB	✓
pages-api-tu..prod.js gzip	33 kB	33 kB	✓
pages-api.ru...dev.js gzip	43.3 kB	43.3 kB	✓
pages-api.ru..prod.js gzip	33 kB	33 kB	✓
pages-turbo....dev.js gzip	52.7 kB	52.7 kB	✓
pages-turbo...prod.js gzip	38.6 kB	38.6 kB	✓
pages.runtim...dev.js gzip	52.7 kB	52.7 kB	✓
pages.runtim..prod.js gzip	38.6 kB	38.6 kB	✓
server.runti..prod.js gzip	62.4 kB	62.4 kB	✓
Total	2.95 MB	2.95 MB	✅ -1 B

📎 Tarball URL

https://vercel-packages.vercel.app/next/commits/533f5056f11c3fd12e400e2d7b73cc47051b22f5/next

ztanner · 2026-03-17T20:57:11Z

Merge activity

Mar 17, 8:57 PM UTC: A user started a stack merge that includes this pull request via Graphite.
Mar 17, 8:59 PM UTC: Graphite rebased this pull request as part of a merge.
Mar 17, 9:48 PM UTC: Graphite couldn't merge this PR because it was not satisfying all requirements (Failed CI: 'thank you, next', 'test turbopack production (1/7) / build', 'test prod (8/10) / build').
Mar 17, 11:02 PM UTC: A user started a stack merge that includes this pull request via Graphite.
Mar 17, 11:02 PM UTC: @ztanner merged this pull request with Graphite.

nextjs-bot added created-by: Next.js team PRs by the Next.js team. Documentation Related to Next.js' official documentation. tests type: next labels Mar 17, 2026

ztanner mentioned this pull request Mar 17, 2026

fix allowedDevOrigins for no-cors requests #91506

Merged

ztanner force-pushed the ztanner/allowed-dev-origins-block-default branch from 21f28f2 to 84abd1f Compare March 17, 2026 14:50

ztanner mentioned this pull request Mar 17, 2026

improve allowedDevOrigins error #91521

Merged

ztanner marked this pull request as ready for review March 17, 2026 18:54

ztanner requested review from gnoff and ijjk March 17, 2026 18:54

gnoff approved these changes Mar 17, 2026

View reviewed changes

ztanner force-pushed the ztanner/allowed-dev-origins-block-default branch from 84abd1f to 79b4017 Compare March 17, 2026 19:36

ztanner changed the base branch from ztanner/allowed-dev-origins-nocors to graphite-base/91507 March 17, 2026 20:57

ztanner changed the base branch from graphite-base/91507 to canary March 17, 2026 20:57

block disallowed dev origins by default

533f505

ztanner force-pushed the ztanner/allowed-dev-origins-block-default branch from 79b4017 to 533f505 Compare March 17, 2026 20:59

ztanner merged commit b2b802c into canary Mar 17, 2026
281 of 284 checks passed

ztanner deleted the ztanner/allowed-dev-origins-block-default branch March 17, 2026 23:02

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

block disallowed dev origins by default#91507

block disallowed dev origins by default#91507
ztanner merged 1 commit intocanaryfrom
ztanner/allowed-dev-origins-block-default

ztanner commented Mar 17, 2026 •

edited

Loading

Uh oh!

ztanner commented Mar 17, 2026 •

edited

Loading

Uh oh!

nextjs-bot commented Mar 17, 2026 •

edited

Loading

Uh oh!

nextjs-bot commented Mar 17, 2026 •

edited

Loading

⚡ Dev Server

📦 Dev Server (Webpack)

⚡ Production Builds

📦 Production Builds (Webpack)

Bundle Sizes

⚡ Turbopack

📦 Webpack

🔄 Shared (bundler-independent)

Uh oh!

ztanner commented Mar 17, 2026 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

ztanner commented Mar 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

ztanner commented Mar 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

nextjs-bot commented Mar 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Tests Passed

Uh oh!

nextjs-bot commented Mar 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Stats from current PR

✅ No significant changes detected

⚡ Dev Server

📦 Dev Server (Webpack)

⚡ Production Builds

📦 Production Builds (Webpack)

Bundle Sizes

⚡ Turbopack

📦 Webpack

🔄 Shared (bundler-independent)

Uh oh!

ztanner commented Mar 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Merge activity

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

ztanner commented Mar 17, 2026 •

edited

Loading

ztanner commented Mar 17, 2026 •

edited

Loading

nextjs-bot commented Mar 17, 2026 •

edited

Loading

nextjs-bot commented Mar 17, 2026 •

edited

Loading

ztanner commented Mar 17, 2026 •

edited

Loading