Skip to content

Guard against SSR leaks in <Router> constructor #6363

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
mjackson opened this issue Oct 1, 2018 · 6 comments
Closed

Guard against SSR leaks in <Router> constructor #6363

mjackson opened this issue Oct 1, 2018 · 6 comments

Comments

@mjackson
Copy link
Member

mjackson commented Oct 1, 2018

We should have a guard around the history.listen call in the <Router> constructor to be sure we are in a persistent environment first (see #6060 (comment)).

The ideal place for this listener would be componentDidMount, but we can't move it there and preserve backwards compatibility with existing code. It would be a breaking change, so we can talk about doing that in v5.
@mjackson mjackson added this to the 4.4 milestone Oct 1, 2018
@mjackson mjackson mentioned this issue Oct 1, 2018
Closed
@timdorr
Copy link
Member

timdorr commented Oct 1, 2018

Without looking at the code changes (on my phone), I will say in pretty confident you can listen inside of cDM and have it work with Redirect. We've been spending a lot of time on this exact issue with Redux (the last year, including multiple meetings with the React team) and have a solution we're implementing right now.

If anything, cDM is going to be required for forwards compatibility. If React decides to not mount a subtree after initialization, you can easily have weirdness around that subscription.

@frehner
Copy link
Contributor

frehner commented Oct 1, 2018

I don't know if this is the best solution, but in my PR I did a isStatic check for constructor and cDM and called listen depending on the situation.

@mjackson
Copy link
Member Author

mjackson commented Oct 1, 2018

@timdorr I tried that route but we did have some failing tests with the way <Redirect> currently works in v4. e.g. we have a test for multiple redirects on the initial render. Now, you could argue that's a bad test and we don't actually want that behavior, and I would whole-heartedly agree. But there's no way we can get that test to work using cDM, and my goal with 4.4 is to have no breaking changes.

@frehner Ya, we should probably do exactly that. Thanks for pointing that out :)

@timdorr
Copy link
Member

timdorr commented Oct 1, 2018

It's not so much that it's a bad test (multiple Redirects should definitely be handled), but that it's checking the implementation, not the effects. It's assuming a world where the React lifecycle is a one-time, synchronous thing. But that test would pass if it gave the React lifecycle a chance to run its course.

A simple fix to increase correctness would be to listen to the history and expect it to navigate through the redirect chain and then check what the render output is.

@mjackson
Copy link
Member Author

mjackson commented Oct 1, 2018

Completely agree, @timdorr. I'm just concerned that someone might be relying on this behavior in a SSR scenario and we will break their app with 4.4 if we change it. Again, I'm totally down with changing this in v5.

@timdorr
Copy link
Member

timdorr commented Oct 1, 2018
edited
Loading

Prior to the 4.4 changes, we did some wacky stuff with checking if we were in a staticContext or not. We could do the same thing to maintain the same behavior. 🤷‍♂️

@lock lock bot locked as resolved and limited conversation to collaborators Dec 13, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@timdorr @mjackson @frehner