←back to thread

Denial of service and source code exposure in React Server Components

(react.dev)
298 points sangeeth96 | 1 comments | 11 Dec 25 20:46 UTC | HN request time: 0.001s | source
Show context
simonw ◴[11 Dec 25 21:59 UTC] No.46237795[source]
React Server Components always felt uncomfortable to me because they make it hard to look at a piece of JavaScript code and derive which parts of it are going to run on the client and which parts will run on the server.

It turns out this introduces another problem too: in order to get that to work you need to implement some kind of DEEP serialization RPC mechanism - which is kind of opaque to the developer and, as we've recently seen, is a risky spot in terms of potential security vulnerabilities.

replies(10): >>46237967 #>>46238102 #>>46238147 #>>46239075 #>>46240339 #>>46240602 #>>46240620 #>>46240996 #>>46241208 #>>46242116 #
1. dirkc ◴[12 Dec 25 08:40 UTC] No.46242116[source]
I 100% agree. I didn't even bother to think about the security implications - why worry about security implications if the whole things seems like a bad idea?

In retrospect I should have given it more thought since React Server Components are punted in many places!