HMR and some /_next/static/ requests fail through a proxy #77073
Comments
github-actions
bot
added
the
Font (next/font)
|
After some digging, looks like this is the cause: #76880 |
|
We're experiencing this issue as well. We aren't using a proxy; instead, we resolve all Perhaps if |
|
I use frpc to make my dev env to the public ssl nginx env, this issue is truely frustrating me. |
this. bet multitenant demo is broken as well now. pin |
|
can confirm. |
|
Seems to still be broken in 15.2.3 for me even with the wildcard fix. |
|
yes it's still broken, not sure why we'd want to block cross origin in dev environment at all actually |
|
Faced same issue, just tested 15.2.3. Adding: at It seems still wildcard isn't allowed. Note that |
|
neither option works, either pin the old version or don't use next/font |
…ut (#77395) To avoid breaking local development proxies and more complex setups, this ensures that we only block cross-origin development requests when opting into the configuration. In a future major release, this will not be opt-in, and will require explicitly providing the allowed origins that can access the special `/_next` endpoints. This adds a warning when a cross origin request is detected that would be blocked without explicit configuration. Fixes #77073 Fixes #77253 Fixes #77344
Link to the code that reproduces this issue
https://codesandbox.io/p/sandbox/admin-dashboard-ppp3f8
To Reproduce
Current vs. Expected behavior
When I hit my Next server through a proxy, my browser should be able to make requests to https://local.test.com/_next/static/media/S6u8w4BMUTPHh30AXC_qNiXg7Q-s.p.01183af7.woff2 for example, and recieve the resource - since 15.2.2, I receieve a 403 Unauthorized error. There are no console errors, and logging in middleware reveals that those errors don't actually even reach the middleware stage.
Using the --hostname flag to replicate my proxy domain, this does work as expected, however this will not work with a multi-tenant system where the proxy domain can be dynamic.
This can be tested quite easily on any Next app by testing using the following request headers in an API agent like Postman:
SUCCESS:
"Origin": "http://localhost:3025"
this is the port it's actually running on, so if I query the page directly without nginx, this is the origin that would be attached
SUCCESS:
"Origin": "http://localhost:1283189273981273981728397123"
just put a random port to see what would happen, and it works
FAILURE:
"Origin": "https://local.hello.com/"
Using a proxy, this is the origin that gets attached, and it fails
I also noticed that since 15.2.2, I have to explicitly set Origin to "" in my Nginx proxy when hitting /_next/webpack-hmr, or else my HMR also fails.
Provide environment information
Operating System: Platform: darwin Arch: arm64 Version: Darwin Kernel Version 23.6.0: Mon Jul 29 21:14:30 PDT 2024; root:xnu-10063.141.2~1/RELEASE_ARM64_T6030 Available memory (MB): 18432 Available CPU cores: 11 Binaries: Node: 22.9.0 npm: 10.8.3 Yarn: 4.1.1 pnpm: 10.6.2 Relevant Packages: next: 15.2.2 // Latest available version is detected (15.2.2). eslint-config-next: 15.2.0 react: 19.0.0 react-dom: 19.0.0 typescript: 5.7.3 Next.js Config: output: N/AWhich area(s) are affected? (Select all that apply)
Font (next/font)
Which stage(s) are affected? (Select all that apply)
next dev (local)
Additional context
I tested on 15.2.1, and it does work as expected without making any changes. Everything since, and including, 15.2.2, including canary versions, give said errors.
The text was updated successfully, but these errors were encountered: