fix(rsc): update failed origin checks to return a 400 status (#14755)

jacob-ebey · web-flow · commit 7ca70609befc · 2026-01-28T12:39:54.000-08:00
diff --git a/.changeset/twelve-dancers-shop.md b/.changeset/twelve-dancers-shop.md
@@ -0,0 +1,5 @@
+---
+"react-router": patch
+---
+
+RSC: Update failed origin checks to return a 400 status and appropriate UI instead of a generic 500
diff --git a/packages/react-router/lib/rsc/server.rsc.ts b/packages/react-router/lib/rsc/server.rsc.ts
@@ -766,10 +766,6 @@ async function generateRenderResponse(
   // will happen in the subsequent revalidation request
   let statusCode = 200;
   let url = new URL(request.url);
-  // TODO: Can this be done with a pathname extension instead of a header?
-  // If not, make sure we strip this at the SSR server and it can only be set
-  // by us to avoid cache-poisoning attempts
-
   let isSubmission = isMutationMethod(request.method);
   let routeIdsToLoad =
     !isSubmission && url.searchParams.has("_routes")
@@ -804,55 +800,61 @@ async function generateRenderResponse(
         // POST `request` to `query` and process our action there.
         let formState: unknown;
         let skipRevalidation = false;
+        let potentialCSRFAttackError: unknown | undefined;
         if (request.method === "POST") {
-          throwIfPotentialCSRFAttack(request.headers, allowedActionOrigins);
-
-          ctx.runningAction = true;
-          let result = await processServerAction(
-            request,
-            basename,
-            decodeReply,
-            loadServerAction,
-            decodeAction,
-            decodeFormState,
-            onError,
-            temporaryReferences,
-          );
-          ctx.runningAction = false;
-
-          if (isResponse(result)) {
-            return generateRedirectResponse(
-              result,
-              actionResult,
-              basename,
-              isDataRequest,
-              generateResponse,
-              temporaryReferences,
-              (ctx.redirect as unknown as Response)?.headers,
-            );
-          }
+          try {
+            throwIfPotentialCSRFAttack(request.headers, allowedActionOrigins);
 
-          skipRevalidation = result?.skipRevalidation ?? false;
-          actionResult = result?.actionResult;
-          formState = result?.formState;
-          request = result?.revalidationRequest ?? request;
-
-          if (ctx.redirect) {
-            return generateRedirectResponse(
-              ctx.redirect,
-              actionResult,
+            ctx.runningAction = true;
+            let result = await processServerAction(
+              request,
               basename,
-              isDataRequest,
-              generateResponse,
+              decodeReply,
+              loadServerAction,
+              decodeAction,
+              decodeFormState,
+              onError,
               temporaryReferences,
-              undefined,
-            );
+            ).finally(() => {
+              ctx.runningAction = false;
+            });
+
+            if (isResponse(result)) {
+              return generateRedirectResponse(
+                result,
+                actionResult,
+                basename,
+                isDataRequest,
+                generateResponse,
+                temporaryReferences,
+                (ctx.redirect as unknown as Response)?.headers,
+              );
+            }
+
+            skipRevalidation = result?.skipRevalidation ?? false;
+            actionResult = result?.actionResult;
+            formState = result?.formState;
+            request = result?.revalidationRequest ?? request;
+
+            if (ctx.redirect) {
+              return generateRedirectResponse(
+                ctx.redirect,
+                actionResult,
+                basename,
+                isDataRequest,
+                generateResponse,
+                temporaryReferences,
+                undefined,
+              );
+            }
+          } catch (error) {
+            potentialCSRFAttackError = error;
           }
         }
 
         let staticContext = await query(
           request,
-          skipRevalidation
+          skipRevalidation || !!potentialCSRFAttackError
             ? {
                 filterMatchesToLoad: () => false,
               }
@@ -871,6 +873,13 @@ async function generateRenderResponse(
           );
         }
 
+        if (potentialCSRFAttackError) {
+          staticContext.errors ??= {};
+          staticContext.errors[staticContext.matches[0].route.id] =
+            potentialCSRFAttackError;
+          staticContext.statusCode = 400;
+        }
+
         return generateStaticContextResponse(
           routes,
           basename,

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +"react-router": patch
 +---
++
 +RSC: Update failed origin checks to return a 400 status and appropriate UI instead of a generic 500