←back to thread

Denial of service and source code exposure in React Server Components

(react.dev)
298 points sangeeth96 | 10 comments | 11 Dec 25 20:46 UTC | HN request time: 0.665s | source | bottom
1. ashishb ◴[11 Dec 25 22:21 UTC] No.46238074[source]
The JavaScript fanatics will downvote me for saying this, but I'll say this, "using a single JavaScript codebase on your client-side and server-side is like cooking food in your toilet, sooner or later, contamination is guaranteed" [1]

1 - https://ashishb.net/tech/javascript/

replies(3): >>46238744 #>>46240063 #>>46241047 #
2. leptons ◴[11 Dec 25 23:20 UTC] No.46238744[source]
This isn't a Javascript problem, this is a React problem. You could theoretically rewrite React and RSC in any language and the outcome would be the same. Say Python ran in the browser natively, and you reimplented React on browser and server in Python. Same problem, not Javascript.
replies(1): >>46239061 #
3. ashishb ◴[11 Dec 25 23:54 UTC] No.46239061[source]
> This isn't a Javascript problem, this is a React problem.

It happened with Next.js as well https://github.com/vercel/next.js/discussions/11106

> Say Python ran in the browser natively, and you reimplented React on browser and server in Python. Same problem, not Javascript.

Yes.

And since Python does not natively run in the browser, that mistake never happens. With JavaScript, the desire to have "backend and frontend in a single codebase" requires active resistance.

replies(2): >>46239711 #>>46241013 #
4. rounce ◴[12 Dec 25 01:13 UTC] No.46239711{3}[source]
> It happened with Next.js as well

It's the same vulnerabilities because Next uses the vulnerable parts of React.

Your rational is quite poor as I can write an isomorphic web app in C or Rust or Go and run parts in the browser, what then? Look, many of us also strongly dislike JavaScript but generally that distaste is based on its actual shortcomings and failures, you don't have to invent new ones plenty already exist.

replies(1): >>46239956 #
5. ashishb ◴[12 Dec 25 01:49 UTC] No.46239956{4}[source]
> I can write an isomorphic web app in C or Rust or Go and run parts in the browser, what then?

If you have a single codebase for Go-based code running in an untrusted browser (the "toilet") and a trusted backend (the "kitchen"), then the same contamination is highly likely.

6. pier25 ◴[12 Dec 25 02:05 UTC] No.46240063[source]
You can still have separate codebases for server and client in JS/TS...
replies(1): >>46242167 #
7. leptons ◴[12 Dec 25 04:59 UTC] No.46241013{3}[source]
>And since Python does not natively run in the browser, that mistake never happens.

Did you even bother to read my comment? Try again, please. Next time don't skip over parts.

8. 0xblinq ◴[12 Dec 25 05:07 UTC] No.46241047[source]
You're mixing programming languages with software architecture.
replies(1): >>46242178 #
9. ashishb ◴[12 Dec 25 08:50 UTC] No.46242167[source]
> You can still have separate codebases for server and client in JS/TS...

Indeed, but unlike Go/Python (backend) and TS/JS (frontend), the separation is surmountable, and the push to "reuse" is high.

10. ashishb ◴[12 Dec 25 08:51 UTC] No.46242178[source]
> You're mixing programming languages with software architecture.

Programming languages do lead to certain software architectures. These are independent but not orthogonal issues.