Data leaking between server-side rendered pages

[jstasiak]

Hey,

Thank you for the project, I figured you'd be interested in what I'm about to report here:

We have a page that's generated using Gatsby.

Initially we used react-helmet and gatsby-plugin-react-helmet but there were issues with some server-side rendered pages having either other pages' HEAD tags or no tags at all (cross-page data leak). We read around a little bit and we saw some reports of react-helmet not being safe in case of IO/async stuff happening when server-side rendering takes place.

We switched to react-helmet-async and gatsby-plugin-react-helmet-async following react-helmet-async's declaration that

react-helmet relies on react-side-effect, which is not thread-safe. If you are doing anything asynchronous on the server, you need Helmet to encapsulate data on a per-request basis, this package does just that.

Unfortunately we discovered that this does not help. There are no cases of pages having empty HEAD tags, admittedly, but in 100% of the Gatsby project builds one of the pages has HEAD tags that belong to a different page.

The content for the pages is generated from the filesystem and from an external CMS accessed through HTTP(S) (Prismic).

There's nothing special in the way we use(d) react-helmet-async or the Gatsby plugin so I'm not providing any code at this stage.

I'm not sure where it's best to report this so I'm reporting it here since the plugin was our direct dependency (we had to switch to managing the HEAD tags ourselves).

Software versions:

• Node.js 16.14.0
• Gatsby 4.6.0
• gatsby-plugin-react-helmet-async 1.2.1
• react-helmet-async 1.3.0
• React 17.0.1

I've tried upgrading the software to the latest versions, where possible or where we weren't already using the latest, no change in behavior.

[mjBayati]

I have same issue, is there any update ?

[mjBayati]

After investigating the concepts behind helment-async, and what kind of problems that will be resolved by this package. I figured out how this package should be worked when is used by server side framworks like gatsby.

Also to be aligned with how to add this plugin to gatsby, I read about gatsby-ssr-apis

and here is the pull request that will fix problem of data leaking between different pages :

• https://github.com/me4502/gatsby-plugin-react-helmet-async/pull/106

  the change is about avoiding to use same shared object between different pages in gatsby-ssr, to do this, I changed context that is used in HelmetProvider, to be separated by pathname for each page.