@sveltejs/kit 1.0.0-next.460 → 1.0.0-next.463

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sveltejs/kit",
-  "version": "1.0.0-next.460",
+  "version": "1.0.0-next.463",
   "repository": {
     "type": "git",
     "url": "https://github.com/sveltejs/kit",
@@ -10,7 +10,7 @@
   "homepage": "https://kit.svelte.dev",
   "type": "module",
   "dependencies": {
-    "@sveltejs/vite-plugin-svelte": "^1.0.3",
+    "@sveltejs/vite-plugin-svelte": "^1.0.4",
     "cookie": "^0.5.0",
     "devalue": "^3.1.2",
     "kleur": "^4.1.4",

package/src/core/config/options.js

@@ -125,6 +125,10 @@ const options = object(
 				reportOnly: directives
 			}),
 
+			csrf: object({
+				checkOrigin: boolean(true)
+			}),
+
 			// TODO: remove this for the 1.0 release
 			endpointExtensions: error(
 				(keypath) => `${keypath} has been renamed to config.kit.moduleExtensions`

package/src/exports/vite/build/build_server.js

@@ -54,6 +54,9 @@ export class Server {
 	constructor(manifest) {
 		this.options = {
 			csp: ${s(config.kit.csp)},
+			csrf: {
+				check_origin: ${s(config.kit.csrf.checkOrigin)},
+			},
 			dev: false,
 			get_stack: error => String(error), // for security
 			handle_error: (error, event) => {

package/src/exports/vite/dev/index.js

@@ -377,6 +377,9 @@ export async function dev(vite, vite_config, svelte_config, illegal_imports) {
 					request,
 					{
 						csp: svelte_config.kit.csp,
+						csrf: {
+							check_origin: svelte_config.kit.csrf.checkOrigin
+						},
 						dev: true,
 						get_stack: (error) => fix_stack_trace(error),
 						handle_error: (error, event) => {

package/src/runtime/app/navigation.js

@@ -16,6 +16,7 @@ export const disableScrollHandling = ssr
 	: client.disable_scroll_handling;
 export const goto = ssr ? guard('goto') : client.goto;
 export const invalidate = ssr ? guard('invalidate') : client.invalidate;
+export const invalidateAll = ssr ? guard('invalidateAll') : client.invalidateAll;
 export const prefetch = ssr ? guard('prefetch') : client.prefetch;
 export const prefetchRoutes = ssr ? guard('prefetchRoutes') : client.prefetch_routes;
 export const beforeNavigate = ssr ? () => {} : client.before_navigate;

package/src/runtime/client/client.js

@@ -2,7 +2,7 @@ import { onMount, tick } from 'svelte';
 import { normalize_error } from '../../utils/error.js';
 import { make_trackable, decode_params, normalize_path } from '../../utils/url.js';
 import { find_anchor, get_base_uri, scroll_state } from './utils.js';
-import { lock_fetch, unlock_fetch, initial_fetch, native_fetch } from './fetcher.js';
+import { lock_fetch, unlock_fetch, initial_fetch, subsequent_fetch } from './fetcher.js';
 import { parse } from './parse.js';
 import { error } from '../../exports/index.js';
 
@@ -70,7 +70,7 @@ function check_for_removed_attributes() {
  * @returns {import('./types').Client}
  */
 export function create_client({ target, base, trailing_slash }) {
-	/** @type {Array<((href: string) => boolean)>} */
+	/** @type {Array<((url: URL) => boolean)>} */
 	const invalidated = [];
 
 	/** @type {{id: string | null, promise: Promise<import('./types').NavigationResult | undefined> | null}} */
@@ -103,6 +103,7 @@ export function create_client({ target, base, trailing_slash }) {
 
 	/** @type {Promise<void> | null} */
 	let invalidating = null;
+	let force_invalidation = false;
 
 	/** @type {import('svelte').SvelteComponent} */
 	let root;
@@ -139,6 +140,19 @@ export function create_client({ target, base, trailing_slash }) {
 	/** @type {{}} */
 	let token;
 
+	function invalidate() {
+		if (!invalidating) {
+			invalidating = Promise.resolve().then(async () => {
+				await update(new URL(location.href), []);
+
+				invalidating = null;
+				force_invalidation = false;
+			});
+		}
+
+		return invalidating;
+	}
+
 	/**
 	 * @param {string | URL} url
 	 * @param {{ noscroll?: boolean; replaceState?: boolean; keepfocus?: boolean; state?: any }} opts
@@ -570,11 +584,13 @@ export function create_client({ target, base, trailing_slash }) {
 					}
 
 					// we must fixup relative urls so they are resolved from the target page
-					const normalized = new URL(requested, url).href;
-					depends(normalized);
+					const resolved = new URL(requested, url).href;
+					depends(resolved);
 
-					// prerendered pages may be served from any origin, so `initial_fetch` urls shouldn't be normalized
-					return started ? native_fetch(normalized, init) : initial_fetch(requested, init);
+					// prerendered pages may be served from any origin, so `initial_fetch` urls shouldn't be resolved
+					return started
+						? subsequent_fetch(resolved, init)
+						: initial_fetch(requested, resolved, init);
 				},
 				setHeaders: () => {}, // noop
 				depends,
@@ -639,6 +655,8 @@ export function create_client({ target, base, trailing_slash }) {
 	 * @param {{ url: boolean, params: string[] }} changed
 	 */
 	function has_changed(changed, parent_changed, uses) {
+		if (force_invalidation) return true;
+
 		if (!uses) return false;
 
 		if (uses.parent && parent_changed) return true;
@@ -648,8 +666,8 @@ export function create_client({ target, base, trailing_slash }) {
 			if (uses.params.has(param)) return true;
 		}
 
-		for (const dep of uses.dependencies) {
-			if (invalidated.some((fn) => fn(dep))) return true;
+		for (const href of uses.dependencies) {
+			if (invalidated.some((fn) => fn(new URL(href)))) return true;
 		}
 
 		return false;
@@ -1057,28 +1075,25 @@ export function create_client({ target, base, trailing_slash }) {
 
 		invalidate: (resource) => {
 			if (resource === undefined) {
-				// Force rerun of all load functions, regardless of their dependencies
-				for (const node of current.branch) {
-					node?.server?.uses.dependencies.add('');
-					node?.shared?.uses.dependencies.add('');
-				}
-				invalidated.push(() => true);
-			} else if (typeof resource === 'function') {
+				// TODO remove for 1.0
+				throw new Error(
+					'`invalidate()` (with no arguments) has been replaced by `invalidateAll()`'
+				);
+			}
+
+			if (typeof resource === 'function') {
 				invalidated.push(resource);
 			} else {
 				const { href } = new URL(resource, location.href);
-				invalidated.push((dep) => dep === href);
+				invalidated.push((url) => url.href === href);
 			}
 
-			if (!invalidating) {
-				invalidating = Promise.resolve().then(async () => {
-					await update(new URL(location.href), []);
-
-					invalidating = null;
-				});
-			}
+			return invalidate();
+		},
 
-			return invalidating;
+		invalidateAll: () => {
+			force_invalidation = true;
+			return invalidate();
 		},
 
 		prefetch: async (href) => {

package/src/runtime/client/fetcher.js

@@ -2,7 +2,7 @@ import { hash } from '../hash.js';
 
 let loading = 0;
 
-export const native_fetch = window.fetch;
+const native_fetch = window.fetch;
 
 export function lock_fetch() {
 	loading += 1;
@@ -33,15 +33,40 @@ if (import.meta.env.DEV) {
 			);
 		}
 
+		const method = input instanceof Request ? input.method : init?.method || 'GET';
+
+		if (method !== 'GET') {
+			const url = new URL(input instanceof Request ? input.url : input.toString(), document.baseURI)
+				.href;
+			cache.delete(url);
+		}
+
+		return native_fetch(input, init);
+	};
+} else {
+	window.fetch = (input, init) => {
+		const method = input instanceof Request ? input.method : init?.method || 'GET';
+
+		if (method !== 'GET') {
+			const url = new URL(input instanceof Request ? input.url : input.toString(), document.baseURI)
+				.href;
+			cache.delete(url);
+		}
+
 		return native_fetch(input, init);
 	};
 }
 
+const cache = new Map();
+
 /**
+ * Should be called on the initial run of load functions that hydrate the page.
+ * Saves any requests with cache-control max-age to the cache.
  * @param {RequestInfo} resource
+ * @param {string} resolved
  * @param {RequestInit} [opts]
  */
-export function initial_fetch(resource, opts) {
+export function initial_fetch(resource, resolved, opts) {
 	const url = JSON.stringify(typeof resource === 'string' ? resource : resource.url);
 
 	let selector = `script[data-sveltekit-fetched][data-url=${url}]`;
@@ -51,10 +76,32 @@ export function initial_fetch(resource, opts) {
 	}
 
 	const script = document.querySelector(selector);
-	if (script && script.textContent) {
+	if (script?.textContent) {
 		const { body, ...init } = JSON.parse(script.textContent);
+
+		const ttl = script.getAttribute('data-ttl');
+		if (ttl) cache.set(resolved, { body, init, ttl: 1000 * Number(ttl) });
+
 		return Promise.resolve(new Response(body, init));
 	}
 
 	return native_fetch(resource, opts);
 }
+
+/**
+ * Tries to get the response from the cache, if max-age allows it, else does a fetch.
+ * @param {string} resolved
+ * @param {RequestInit} [opts]
+ */
+export function subsequent_fetch(resolved, opts) {
+	const cached = cache.get(resolved);
+	if (cached) {
+		if (performance.now() < cached.ttl) {
+			return new Response(cached.body, cached.init);
+		}
+
+		cache.delete(resolved);
+	}
+
+	return native_fetch(resolved, opts);
+}

package/src/runtime/client/types.d.ts

@@ -3,6 +3,7 @@ import {
 	beforeNavigate,
 	goto,
 	invalidate,
+	invalidateAll,
 	prefetch,
 	prefetchRoutes
 } from '$app/navigation';
@@ -17,6 +18,7 @@ export interface Client {
 	disable_scroll_handling: () => void;
 	goto: typeof goto;
 	invalidate: typeof invalidate;
+	invalidateAll: typeof invalidateAll;
 	prefetch: typeof prefetch;
 	prefetch_routes: typeof prefetchRoutes;
 

package/src/runtime/server/index.js

@@ -18,6 +18,21 @@ const default_transform = ({ html }) => html;
 export async function respond(request, options, state) {
 	let url = new URL(request.url);
 
+	if (options.csrf.check_origin) {
+		const type = request.headers.get('content-type')?.split(';')[0];
+
+		const forbidden =
+			request.method === 'POST' &&
+			request.headers.get('origin') !== url.origin &&
+			(type === 'application/x-www-form-urlencoded' || type === 'multipart/form-data');
+
+		if (forbidden) {
+			return new Response(`Cross-site ${request.method} form submissions are forbidden`, {
+				status: 403
+			});
+		}
+	}
+
 	const { parameter, allowed } = options.method_override;
 	const method_override = url.searchParams.get(parameter)?.toUpperCase();
 

package/src/runtime/server/page/fetch.js

@@ -214,6 +214,7 @@ export function create_fetch({ event, options, state, route, prerender_default }
 
 						fetched.push({
 							url: requested,
+							method: opts.method || 'GET',
 							body: opts.body,
 							response: {
 								status: status_number,

package/src/runtime/server/page/render.js

@@ -284,7 +284,7 @@ export async function render_response({
 	}
 
 	if (page_config.ssr && page_config.csr) {
-		body += `\n\t${fetched.map(serialize_data).join('\n\t')}`;
+		body += `\n\t${fetched.map((item) => serialize_data(item, !!state.prerendering)).join('\n\t')}`;
 	}
 
 	if (options.service_worker) {

package/src/runtime/server/page/serialize_data.js

@@ -35,10 +35,11 @@ const pattern = new RegExp(`[${Object.keys(replacements).join('')}]`, 'g');
  * and that the resulting string isn't further modified.
  *
  * @param {import('./types.js').Fetched} fetched
+ * @param {boolean} [prerendering]
  * @returns {string} The raw HTML of a script element carrying the JSON payload.
  * @example const html = serialize_data('/data.json', null, { foo: 'bar' });
  */
-export function serialize_data(fetched) {
+export function serialize_data(fetched, prerendering = false) {
 	const safe_payload = JSON.stringify(fetched.response).replace(
 		pattern,
 		(match) => replacements[match]
@@ -54,5 +55,18 @@ export function serialize_data(fetched) {
 		attrs.push(`data-hash=${escape_html_attr(hash(fetched.body))}`);
 	}
 
+	if (!prerendering && fetched.method === 'GET') {
+		const cache_control = /** @type {string} */ (fetched.response.headers['cache-control']);
+		if (cache_control) {
+			const match = /s-maxage=(\d+)/g.exec(cache_control) ?? /max-age=(\d+)/g.exec(cache_control);
+			if (match) {
+				const age = /** @type {string} */ (fetched.response.headers['age']) ?? '0';
+
+				const ttl = +match[1] - +age;
+				attrs.push(`data-ttl="${ttl}"`);
+			}
+		}
+	}
+
 	return `<script ${attrs.join(' ')}>${safe_payload}</script>`;
 }

package/src/runtime/server/page/types.d.ts

@@ -3,6 +3,7 @@ import { HttpError } from '../../control.js';
 
 export interface Fetched {
 	url: string;
+	method: string;
 	body?: string | null;
 	response: {
 		status: number;

package/src/runtime/server/utils.js

@@ -194,8 +194,8 @@ export function handle_fatal_error(event, options, error) {
 
 	// ideally we'd use sec-fetch-dest instead, but Safari — quelle surprise — doesn't support it
 	const type = negotiate(event.request.headers.get('accept') || 'text/html', [
-		'text/html',
-		'application/json'
+		'application/json',
+		'text/html'
 	]);
 
 	if (event.url.pathname.endsWith(DATA_SUFFIX) || type === 'application/json') {

package/types/ambient.d.ts

@@ -88,6 +88,7 @@ declare module '$app/environment' {
  * 	disableScrollHandling,
  * 	goto,
  * 	invalidate,
+ * 	invalidateAll,
  * 	prefetch,
  * 	prefetchRoutes
  * } from '$app/navigation';
@@ -113,10 +114,25 @@ declare module '$app/navigation' {
 		opts?: { replaceState?: boolean; noscroll?: boolean; keepfocus?: boolean; state?: any }
 	): Promise<void>;
 	/**
-	 * Causes any `load` functions belonging to the currently active page to re-run if they `fetch` the resource in question. If no argument is given, all resources will be invalidated. Returns a `Promise` that resolves when the page is subsequently updated.
-	 * @param dependency The invalidated resource
+	 * Causes any `load` functions belonging to the currently active page to re-run if they depend on the `url` in question, via `fetch` or `depends`. Returns a `Promise` that resolves when the page is subsequently updated.
+	 *
+	 * If the argument is given as a `string` or `URL`, it must resolve to the same URL that was passed to `fetch` or `depends` (including query parameters).
+	 * To create a custom identifier, use a string beginning with `[a-z]+:` (e.g. `custom:state`) — this is a valid URL.
+	 *
+	 * The `function` argument can be used define a custom predicate. It receives the full `URL` and causes `load` to rerun if `true` is returned.
+	 * This can be useful if you want to invalidate based on a pattern instead of a exact match.
+	 *
+	 * ```ts
+	 * // Example: Match '/path' regardless of the query parameters
+	 * invalidate((url) => url.pathname === '/path');
+	 * ```
+	 * @param url The invalidated URL
+	 */
+	export function invalidate(url: string | URL | ((url: URL) => boolean)): Promise<void>;
+	/**
+	 * Causes all `load` functions belonging to the currently active page to re-run. Returns a `Promise` that resolves when the page is subsequently updated.
 	 */
-	export function invalidate(dependency?: string | ((href: string) => boolean)): Promise<void>;
+	export function invalidateAll(): Promise<void>;
 	/**
 	 * Programmatically prefetches the given page, which means
 	 *  1. ensuring that the code for the page is loaded, and

package/types/index.d.ts

@@ -128,6 +128,9 @@ export interface KitConfig {
 		directives?: CspDirectives;
 		reportOnly?: CspDirectives;
 	};
+	csrf?: {
+		checkOrigin?: boolean;
+	};
 	env?: {
 		dir?: string;
 		publicPrefix?: string;

package/types/internal.d.ts

@@ -290,6 +290,9 @@ export type SSRNodeLoader = () => Promise<SSRNode>;
 
 export interface SSROptions {
 	csp: ValidatedConfig['kit']['csp'];
+	csrf: {
+		check_origin: boolean;
+	};
 	dev: boolean;
 	get_stack: (error: Error) => string | undefined;
 	handle_error(error: Error & { frame?: string }, event: RequestEvent): void;