@sveltejs/kit 1.0.0-next.461 → 1.0.0-next.462

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/package.json +1 -1
  2. package/src/core/config/options.js +4 -0
  3. package/src/exports/vite/build/build_server.js +3 -0
  4. package/src/exports/vite/dev/index.js +3 -0
  5. package/src/runtime/server/index.js +15 -0
  6. package/types/index.d.ts +3 -0
  7. package/types/internal.d.ts +3 -0
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@sveltejs/kit",
3
- "version": "1.0.0-next.461",
3
+ "version": "1.0.0-next.462",
4
4
  "repository": {
5
5
  "type": "git",
6
6
  "url": "https://github.com/sveltejs/kit",
package/src/core/config/options.js CHANGED
@@ -125,6 +125,10 @@ const options = object(
125
125
  reportOnly: directives
126
126
  }),
127
127
 
128
+ csrf: object({
129
+ checkOrigin: boolean(true)
130
+ }),
131
+
128
132
  // TODO: remove this for the 1.0 release
129
133
  endpointExtensions: error(
130
134
  (keypath) => `${keypath} has been renamed to config.kit.moduleExtensions`
package/src/exports/vite/build/build_server.js CHANGED
@@ -54,6 +54,9 @@ export class Server {
54
54
  constructor(manifest) {
55
55
  this.options = {
56
56
  csp: ${s(config.kit.csp)},
57
+ csrf: {
58
+ check_origin: ${s(config.kit.csrf.checkOrigin)},
59
+ },
57
60
  dev: false,
58
61
  get_stack: error => String(error), // for security
59
62
  handle_error: (error, event) => {
package/src/exports/vite/dev/index.js CHANGED
@@ -377,6 +377,9 @@ export async function dev(vite, vite_config, svelte_config, illegal_imports) {
377
377
  request,
378
378
  {
379
379
  csp: svelte_config.kit.csp,
380
+ csrf: {
381
+ check_origin: svelte_config.kit.csrf.checkOrigin
382
+ },
380
383
  dev: true,
381
384
  get_stack: (error) => fix_stack_trace(error),
382
385
  handle_error: (error, event) => {
package/src/runtime/server/index.js CHANGED
@@ -18,6 +18,21 @@ const default_transform = ({ html }) => html;
18
18
  export async function respond(request, options, state) {
19
19
  let url = new URL(request.url);
20
20
 
21
+ if (options.csrf.check_origin) {
22
+ const type = request.headers.get('content-type')?.split(';')[0];
23
+
24
+ const forbidden =
25
+ request.method === 'POST' &&
26
+ request.headers.get('origin') !== url.origin &&
27
+ (type === 'application/x-www-form-urlencoded' || type === 'multipart/form-data');
28
+
29
+ if (forbidden) {
30
+ return new Response(`Cross-site ${request.method} form submissions are forbidden`, {
31
+ status: 403
32
+ });
33
+ }
34
+ }
35
+
21
36
  const { parameter, allowed } = options.method_override;
22
37
  const method_override = url.searchParams.get(parameter)?.toUpperCase();
23
38
 
package/types/index.d.ts CHANGED
@@ -128,6 +128,9 @@ export interface KitConfig {
128
128
  directives?: CspDirectives;
129
129
  reportOnly?: CspDirectives;
130
130
  };
131
+ csrf?: {
132
+ checkOrigin?: boolean;
133
+ };
131
134
  env?: {
132
135
  dir?: string;
133
136
  publicPrefix?: string;
package/types/internal.d.ts CHANGED
@@ -290,6 +290,9 @@ export type SSRNodeLoader = () => Promise<SSRNode>;
290
290
 
291
291
  export interface SSROptions {
292
292
  csp: ValidatedConfig['kit']['csp'];
293
+ csrf: {
294
+ check_origin: boolean;
295
+ };
293
296
  dev: boolean;
294
297
  get_stack: (error: Error) => string | undefined;
295
298
  handle_error(error: Error & { frame?: string }, event: RequestEvent): void;