Skip to content

refactor(platform-server): deprecate ServerXhr#69255

Merged
atscott merged 1 commit into
angular:21.2.xfrom
alan-agius4:deprecate-server-xhr-21-2
Jun 9, 2026
Merged

refactor(platform-server): deprecate ServerXhr#69255
atscott merged 1 commit into
angular:21.2.xfrom
alan-agius4:deprecate-server-xhr-21-2

Conversation

@alan-agius4

@alan-agius4 alan-agius4 commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

refactor(platform-server): deprecate ServerXhr

XHR support in @angular/platform-server is deprecated because the underlying xhr2 library does not safely handle redirects. Specifically, it can forward Authorization headers on cross-origin redirects (which leaks credentials) and is susceptible to denial-of-service (DoS) via redirect loops.

DEPRECATED: XHR support in @angular/platform-server is deprecated. Use standard fetch APIs instead.

@pullapprove pullapprove Bot requested a review from kirjs June 9, 2026 08:56
@angular-robot angular-robot Bot added detected: deprecation PR contains a commit with a deprecation area: server Issues related to server-side rendering labels Jun 9, 2026
@ngbot ngbot Bot added this to the Backlog milestone Jun 9, 2026
@alan-agius4 alan-agius4 requested review from AndrewKushnir and removed request for kirjs June 9, 2026 09:09
@alan-agius4 alan-agius4 added action: review The PR is still awaiting reviews from at least one requested reviewer target: lts This PR is targeting a version currently in long-term support labels Jun 9, 2026
JeanMeche
JeanMeche reviewed Jun 9, 2026
View reviewed changes
Comment thread packages/platform-server/src/http.ts Outdated
@alan-agius4 alan-agius4 requested a review from JeanMeche June 9, 2026 09:40
@alan-agius4
refactor(platform-server): deprecate ServerXhr
8717e56 
XHR support in `@angular/platform-server` is deprecated because the underlying `xhr2` library does not safely handle redirects. Specifically, it can forward `Authorization` headers on cross-origin redirects (which leaks credentials) and is susceptible to denial-of-service (DoS) via redirect loops.

DEPRECATED: XHR support in `@angular/platform-server` is deprecated. Use standard `fetch` APIs instead.
@alan-agius4 alan-agius4 force-pushed the deprecate-server-xhr-21-2 branch from b1770ea to 8717e56 Compare June 9, 2026 09:42
@alan-agius4 alan-agius4 added action: merge The PR is ready for merge by the caretaker and removed action: review The PR is still awaiting reviews from at least one requested reviewer labels Jun 9, 2026
@alan-agius4 alan-agius4 removed the request for review from AndrewKushnir June 9, 2026 09:57
@atscott atscott merged commit 13fb0af into angular:21.2.x Jun 9, 2026
20 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JeanMeche JeanMeche JeanMeche approved these changes

Assignees

No one assigned

Labels

action: merge The PR is ready for merge by the caretaker area: server Issues related to server-side rendering detected: deprecation PR contains a commit with a deprecation target: lts This PR is targeting a version currently in long-term support

Projects

None yet

Milestone

Backlog

Development

Successfully merging this pull request may close these issues.

3 participants

@alan-agius4 @JeanMeche @atscott