Skip to content

refactor(platform-server): deprecate ServerXhr#69256

Merged
atscott merged 1 commit into
angular:20.3.xfrom
alan-agius4:deprecate-server-xhr-20-3
Jun 9, 2026
Merged

refactor(platform-server): deprecate ServerXhr#69256
atscott merged 1 commit into
angular:20.3.xfrom
alan-agius4:deprecate-server-xhr-20-3

Conversation

@alan-agius4

@alan-agius4 alan-agius4 commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

refactor(platform-server): deprecate ServerXhr

XHR support in @angular/platform-server is deprecated because the underlying xhr2 library does not safely handle redirects. Specifically, it can forward Authorization headers on cross-origin redirects (which leaks credentials) and is susceptible to denial-of-service (DoS) via redirect loops.

DEPRECATED: XHR support in @angular/platform-server is deprecated. Use standard fetch APIs instead.

@pullapprove pullapprove Bot requested a review from atscott June 9, 2026 08:56
@angular-robot angular-robot Bot added detected: deprecation PR contains a commit with a deprecation area: server Issues related to server-side rendering labels Jun 9, 2026
@ngbot ngbot Bot added this to the Backlog milestone Jun 9, 2026
@alan-agius4 alan-agius4 requested review from AndrewKushnir and removed request for atscott June 9, 2026 09:08
@alan-agius4 alan-agius4 added action: review The PR is still awaiting reviews from at least one requested reviewer target: lts This PR is targeting a version currently in long-term support and removed action: review The PR is still awaiting reviews from at least one requested reviewer labels Jun 9, 2026
@alan-agius4
refactor(platform-server): deprecate ServerXhr
0af757c 
XHR support in `@angular/platform-server` is deprecated because the underlying `xhr2` library does not safely handle redirects. Specifically, it can forward `Authorization` headers on cross-origin redirects (which leaks credentials) and is susceptible to denial-of-service (DoS) via redirect loops.

DEPRECATED: XHR support in `@angular/platform-server` is deprecated. Use standard `fetch` APIs instead.
@alan-agius4 alan-agius4 force-pushed the deprecate-server-xhr-20-3 branch from bd03f69 to 0af757c Compare June 9, 2026 09:43
@alan-agius4 alan-agius4 requested review from JeanMeche and removed request for AndrewKushnir June 9, 2026 09:58
@alan-agius4 alan-agius4 added action: review The PR is still awaiting reviews from at least one requested reviewer and removed action: review The PR is still awaiting reviews from at least one requested reviewer labels Jun 9, 2026
@alan-agius4 alan-agius4 added action: merge The PR is ready for merge by the caretaker and removed action: review The PR is still awaiting reviews from at least one requested reviewer labels Jun 9, 2026
@atscott atscott merged commit d55c94a into angular:20.3.x Jun 9, 2026
21 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JeanMeche JeanMeche JeanMeche approved these changes

Assignees

No one assigned

Labels

action: merge The PR is ready for merge by the caretaker area: server Issues related to server-side rendering detected: deprecation PR contains a commit with a deprecation target: lts This PR is targeting a version currently in long-term support

Projects

None yet

Milestone

Backlog

Development

Successfully merging this pull request may close these issues.

3 participants

@alan-agius4 @JeanMeche @atscott