Describe the bug
In local development, the microfrontends proxy can corrupt redirect Location headers when the redirect target contains an absolute URL inside a query parameter.
In our case, a request like:
/free-tools/tiktok-audience-analytics?url=https://www.tiktok.com/@streamhits01/video/7611535128661118230
ends up being rewritten by the local proxy to:
/free-tools/tiktok-audience-analytics?url=https:/www.tiktok.com/@streamhits01/video/7611535128661118230
Notice the missing second slash in https:/....
This only happens through the local microfrontends proxy. Hitting the child app directly returns the correct encoded redirect.
Steps to reproduce issue
- Run a local microfrontends setup with the shared proxy and a child Next.js app.
- Have the child app return a redirect whose
Location includes an absolute URL in a query param.
- Example direct child-app response:
Location: http://localhost:6720/free-tools/tiktok-audience-analytics?url=https%3A%2F%2Fwww.tiktok.com%2F%40streamhits01%2Fvideo%2F7611535128661118230
- Request the same route through the shared local proxy instead of the child app directly.
- Observe the proxy response header becomes:
Location: /free-tools/tiktok-audience-analytics?url=https:/www.tiktok.com/@streamhits01/video/7611535128661118230
I reproduced this with:
- shared proxy:
http://localhost:6720
- child app:
http://localhost:6722
- package version:
@vercel/microfrontends@2.3.2
Direct child app request:
curl -I 'http://localhost:6722/free-tools/tiktok-audience-analytics?url=https://www.tiktok.com/@streamhits01/video/7611535128661118230'
returns a correct encoded Location header.
Shared proxy request:
curl -I 'http://localhost:6720/free-tools/tiktok-audience-analytics?url=https://www.tiktok.com/@streamhits01/video/7611535128661118230'
returns a malformed Location header with https:/....
Expected behavior
The local proxy should preserve the redirect target and not rewrite absolute URLs that appear inside query parameters.
Screenshots
N/A
Additional context
This looks like it comes from the local proxy Location rewrite logic using a non-anchored regex:
locationHeader.replace(/https:\/\/[^/]+\//, "/")
Because that replacement is not anchored to the start of the header, it can also match https://... that appears later inside the query string.
Anchoring it appears to avoid the corruption:
locationHeader.replace(/^https?:\/\/[^/]+\//, "/")
I have not patched this locally because it seems like an upstream local-proxy bug rather than an app-level issue.
Describe the bug
In local development, the microfrontends proxy can corrupt redirect
Locationheaders when the redirect target contains an absolute URL inside a query parameter.In our case, a request like:
/free-tools/tiktok-audience-analytics?url=https://www.tiktok.com/@streamhits01/video/7611535128661118230ends up being rewritten by the local proxy to:
/free-tools/tiktok-audience-analytics?url=https:/www.tiktok.com/@streamhits01/video/7611535128661118230Notice the missing second slash in
https:/....This only happens through the local microfrontends proxy. Hitting the child app directly returns the correct encoded redirect.
Steps to reproduce issue
Locationincludes an absolute URL in a query param.Location: http://localhost:6720/free-tools/tiktok-audience-analytics?url=https%3A%2F%2Fwww.tiktok.com%2F%40streamhits01%2Fvideo%2F7611535128661118230Location: /free-tools/tiktok-audience-analytics?url=https:/www.tiktok.com/@streamhits01/video/7611535128661118230I reproduced this with:
http://localhost:6720http://localhost:6722@vercel/microfrontends@2.3.2Direct child app request:
curl -I 'http://localhost:6722/free-tools/tiktok-audience-analytics?url=https://www.tiktok.com/@streamhits01/video/7611535128661118230'returns a correct encoded
Locationheader.Shared proxy request:
curl -I 'http://localhost:6720/free-tools/tiktok-audience-analytics?url=https://www.tiktok.com/@streamhits01/video/7611535128661118230'returns a malformed
Locationheader withhttps:/....Expected behavior
The local proxy should preserve the redirect target and not rewrite absolute URLs that appear inside query parameters.
Screenshots
N/A
Additional context
This looks like it comes from the local proxy
Locationrewrite logic using a non-anchored regex:Because that replacement is not anchored to the start of the header, it can also match
https://...that appears later inside the query string.Anchoring it appears to avoid the corruption:
I have not patched this locally because it seems like an upstream local-proxy bug rather than an app-level issue.