Limit crossOrigin value usage

facebook · Jun 1, 2023 · 08774cc · 08774cc
1 parent bc25880
commit 08774cc
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 6 deletions.
diff --git a/packages/react-dom-bindings/src/server/ReactFizzConfigDOM.js b/packages/react-dom-bindings/src/server/ReactFizzConfigDOM.js
@@ -268,7 +268,11 @@ export function createResponseState(
       const integrity =
         typeof scriptConfig === 'string' ? undefined : scriptConfig.integrity;
       const crossOrigin =
-        typeof scriptConfig === 'string' ? undefined : scriptConfig.crossOrigin;
+        typeof scriptConfig === 'string' || scriptConfig.crossOrigin == null
+          ? undefined
+          : scriptConfig.crossOrigin === 'use-credentials'
+          ? 'use-credentials'
+          : '';
 
       bootstrapChunks.push(
         startScriptSrc,
@@ -286,7 +290,7 @@ export function createResponseState(
           stringToChunk(escapeTextForBrowser(integrity)),
         );
       }
-      if (crossOrigin) {
+      if (typeof crossOrigin === 'string') {
         bootstrapChunks.push(
           scriptCrossOrigin,
           stringToChunk(escapeTextForBrowser(crossOrigin)),
@@ -303,7 +307,11 @@ export function createResponseState(
       const integrity =
         typeof scriptConfig === 'string' ? undefined : scriptConfig.integrity;
       const crossOrigin =
-        typeof scriptConfig === 'string' ? undefined : scriptConfig.crossOrigin;
+        typeof scriptConfig === 'string' || scriptConfig.crossOrigin == null
+          ? undefined
+          : scriptConfig.crossOrigin === 'use-credentials'
+          ? 'use-credentials'
+          : '';
 
       bootstrapChunks.push(
         startModuleSrc,
@@ -322,7 +330,7 @@ export function createResponseState(
           stringToChunk(escapeTextForBrowser(integrity)),
         );
       }
-      if (crossOrigin) {
+      if (typeof crossOrigin === 'string') {
         bootstrapChunks.push(
           scriptCrossOrigin,
           stringToChunk(escapeTextForBrowser(crossOrigin)),

diff --git a/packages/react-dom/src/__tests__/ReactDOMFizzServer-test.js b/packages/react-dom/src/__tests__/ReactDOMFizzServer-test.js
@@ -3794,7 +3794,11 @@ describe('ReactDOMFizzServer', () => {
             },
             {
               src: 'baz',
-              crossOrigin: 'anonymous',
+              crossOrigin: '',
+            },
+            {
+              src: 'qux',
+              crossOrigin: 'defaults-to-empty',
             },
           ],
           bootstrapModules: [
@@ -3828,7 +3832,8 @@ describe('ReactDOMFizzServer', () => {
     ).toEqual([
       '<script src="foo" async=""></script>',
       '<script src="bar" async=""></script>',
-      '<script src="baz" crossorigin="anonymous" async=""></script>',
+      '<script src="baz" crossorigin="" async=""></script>',
+      '<script src="qux" crossorigin="" async=""></script>',
       '<script type="module" src="quux" async=""></script>',
       '<script type="module" src="corge" async=""></script>',
       '<script type="module" src="grault" crossorigin="use-credentials" async=""></script>',