@sveltejs/kit 1.0.0-next.461 → 1.0.0-next.464

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sveltejs/kit",
-  "version": "1.0.0-next.461",
+  "version": "1.0.0-next.464",
   "repository": {
     "type": "git",
     "url": "https://github.com/sveltejs/kit",
@@ -10,7 +10,7 @@
   "homepage": "https://kit.svelte.dev",
   "type": "module",
   "dependencies": {
-    "@sveltejs/vite-plugin-svelte": "^1.0.3",
+    "@sveltejs/vite-plugin-svelte": "^1.0.4",
     "cookie": "^0.5.0",
     "devalue": "^3.1.2",
     "kleur": "^4.1.4",

package/src/core/config/options.js

@@ -125,6 +125,10 @@ const options = object(
 				reportOnly: directives
 			}),
 
+			csrf: object({
+				checkOrigin: boolean(true)
+			}),
+
 			// TODO: remove this for the 1.0 release
 			endpointExtensions: error(
 				(keypath) => `${keypath} has been renamed to config.kit.moduleExtensions`

package/src/core/generate_manifest/index.js

@@ -60,13 +60,13 @@ export function generate_manifest({ build_data, relative_path, routes, format =
 					if (!route.page && !route.endpoint) return;
 
 					return `{
-						id: ${s(route.id)},
-						pattern: ${route.pattern},
-						names: ${s(route.names)},
-						types: ${s(route.types)},
-						page: ${s(route.page)},
-						endpoint: ${route.endpoint ? loader(`${relative_path}/${build_data.server.vite_manifest[route.endpoint.file].file}`) : 'null'}
-					}`;
+					id: ${s(route.id)},
+					pattern: ${route.pattern},
+					names: ${s(route.names)},
+					types: ${s(route.types)},
+					page: ${route.page ? `{ layouts: ${get_nodes(route.page.layouts)}, errors: ${get_nodes(route.page.errors)}, leaf: ${route.page.leaf} }` : 'null'},
+					endpoint: ${route.endpoint ? loader(`${relative_path}/${build_data.server.vite_manifest[route.endpoint.file].file}`) : 'null'}
+				}`;
 				}).filter(Boolean).join(',\n\t\t\t\t')}
 			],
 			matchers: async () => {
@@ -76,3 +76,17 @@ export function generate_manifest({ build_data, relative_path, routes, format =
 		}
 	}`.replace(/^\t/gm, '');
 }
+
+/** @param {Array<number | undefined>} indexes */
+function get_nodes(indexes) {
+	let string = indexes.map((n) => n ?? '').join(',');
+
+	if (indexes.at(-1) === undefined) {
+		// since JavaScript ignores trailing commas, we need to insert a dummy
+		// comma so that the array has the correct length if the last item
+		// is undefined
+		string += ',';
+	}
+
+	return `[${string}]`;
+}

package/src/exports/vite/build/build_server.js

@@ -54,6 +54,9 @@ export class Server {
 	constructor(manifest) {
 		this.options = {
 			csp: ${s(config.kit.csp)},
+			csrf: {
+				check_origin: ${s(config.kit.csrf.checkOrigin)},
+			},
 			dev: false,
 			get_stack: error => String(error), // for security
 			handle_error: (error, event) => {

package/src/exports/vite/dev/index.js

@@ -377,6 +377,9 @@ export async function dev(vite, vite_config, svelte_config, illegal_imports) {
 					request,
 					{
 						csp: svelte_config.kit.csp,
+						csrf: {
+							check_origin: svelte_config.kit.csrf.checkOrigin
+						},
 						dev: true,
 						get_stack: (error) => fix_stack_trace(error),
 						handle_error: (error, event) => {

package/src/runtime/client/client.js

@@ -2,7 +2,7 @@ import { onMount, tick } from 'svelte';
 import { normalize_error } from '../../utils/error.js';
 import { make_trackable, decode_params, normalize_path } from '../../utils/url.js';
 import { find_anchor, get_base_uri, scroll_state } from './utils.js';
-import { lock_fetch, unlock_fetch, initial_fetch, native_fetch } from './fetcher.js';
+import { lock_fetch, unlock_fetch, initial_fetch, subsequent_fetch } from './fetcher.js';
 import { parse } from './parse.js';
 import { error } from '../../exports/index.js';
 
@@ -584,11 +584,13 @@ export function create_client({ target, base, trailing_slash }) {
 					}
 
 					// we must fixup relative urls so they are resolved from the target page
-					const normalized = new URL(requested, url).href;
-					depends(normalized);
+					const resolved = new URL(requested, url).href;
+					depends(resolved);
 
-					// prerendered pages may be served from any origin, so `initial_fetch` urls shouldn't be normalized
-					return started ? native_fetch(normalized, init) : initial_fetch(requested, init);
+					// prerendered pages may be served from any origin, so `initial_fetch` urls shouldn't be resolved
+					return started
+						? subsequent_fetch(resolved, init)
+						: initial_fetch(requested, resolved, init);
 				},
 				setHeaders: () => {}, // noop
 				depends,
@@ -941,7 +943,7 @@ export function create_client({ target, base, trailing_slash }) {
 
 	/** @param {URL} url */
 	function get_navigation_intent(url) {
-		if (url.origin !== location.origin || !url.pathname.startsWith(base)) return;
+		if (is_external_url(url)) return;
 
 		const path = decodeURI(url.pathname.slice(base.length) || '/');
 
@@ -960,6 +962,11 @@ export function create_client({ target, base, trailing_slash }) {
 		}
 	}
 
+	/** @param {URL} url */
+	function is_external_url(url) {
+		return url.origin !== location.origin || !url.pathname.startsWith(base);
+	}
+
 	/**
 	 * @param {{
 	 *   url: URL;
@@ -1154,6 +1161,7 @@ export function create_client({ target, base, trailing_slash }) {
 			const trigger_prefetch = (event) => {
 				const { url, options } = find_anchor(event);
 				if (url && options.prefetch === '') {
+					if (is_external_url(url)) return;
 					prefetch(url);
 				}
 			};

package/src/runtime/client/fetcher.js

@@ -2,7 +2,7 @@ import { hash } from '../hash.js';
 
 let loading = 0;
 
-export const native_fetch = window.fetch;
+const native_fetch = window.fetch;
 
 export function lock_fetch() {
 	loading += 1;
@@ -33,15 +33,40 @@ if (import.meta.env.DEV) {
 			);
 		}
 
+		const method = input instanceof Request ? input.method : init?.method || 'GET';
+
+		if (method !== 'GET') {
+			const url = new URL(input instanceof Request ? input.url : input.toString(), document.baseURI)
+				.href;
+			cache.delete(url);
+		}
+
+		return native_fetch(input, init);
+	};
+} else {
+	window.fetch = (input, init) => {
+		const method = input instanceof Request ? input.method : init?.method || 'GET';
+
+		if (method !== 'GET') {
+			const url = new URL(input instanceof Request ? input.url : input.toString(), document.baseURI)
+				.href;
+			cache.delete(url);
+		}
+
 		return native_fetch(input, init);
 	};
 }
 
+const cache = new Map();
+
 /**
+ * Should be called on the initial run of load functions that hydrate the page.
+ * Saves any requests with cache-control max-age to the cache.
  * @param {RequestInfo} resource
+ * @param {string} resolved
  * @param {RequestInit} [opts]
  */
-export function initial_fetch(resource, opts) {
+export function initial_fetch(resource, resolved, opts) {
 	const url = JSON.stringify(typeof resource === 'string' ? resource : resource.url);
 
 	let selector = `script[data-sveltekit-fetched][data-url=${url}]`;
@@ -51,10 +76,32 @@ export function initial_fetch(resource, opts) {
 	}
 
 	const script = document.querySelector(selector);
-	if (script && script.textContent) {
+	if (script?.textContent) {
 		const { body, ...init } = JSON.parse(script.textContent);
+
+		const ttl = script.getAttribute('data-ttl');
+		if (ttl) cache.set(resolved, { body, init, ttl: 1000 * Number(ttl) });
+
 		return Promise.resolve(new Response(body, init));
 	}
 
 	return native_fetch(resource, opts);
 }
+
+/**
+ * Tries to get the response from the cache, if max-age allows it, else does a fetch.
+ * @param {string} resolved
+ * @param {RequestInit} [opts]
+ */
+export function subsequent_fetch(resolved, opts) {
+	const cached = cache.get(resolved);
+	if (cached) {
+		if (performance.now() < cached.ttl) {
+			return new Response(cached.body, cached.init);
+		}
+
+		cache.delete(resolved);
+	}
+
+	return native_fetch(resolved, opts);
+}

package/src/runtime/server/index.js

@@ -18,6 +18,21 @@ const default_transform = ({ html }) => html;
 export async function respond(request, options, state) {
 	let url = new URL(request.url);
 
+	if (options.csrf.check_origin) {
+		const type = request.headers.get('content-type')?.split(';')[0];
+
+		const forbidden =
+			request.method === 'POST' &&
+			request.headers.get('origin') !== url.origin &&
+			(type === 'application/x-www-form-urlencoded' || type === 'multipart/form-data');
+
+		if (forbidden) {
+			return new Response(`Cross-site ${request.method} form submissions are forbidden`, {
+				status: 403
+			});
+		}
+	}
+
 	const { parameter, allowed } = options.method_override;
 	const method_override = url.searchParams.get(parameter)?.toUpperCase();
 

package/src/runtime/server/page/fetch.js

@@ -214,6 +214,7 @@ export function create_fetch({ event, options, state, route, prerender_default }
 
 						fetched.push({
 							url: requested,
+							method: opts.method || 'GET',
 							body: opts.body,
 							response: {
 								status: status_number,

package/src/runtime/server/page/render.js

@@ -284,7 +284,7 @@ export async function render_response({
 	}
 
 	if (page_config.ssr && page_config.csr) {
-		body += `\n\t${fetched.map(serialize_data).join('\n\t')}`;
+		body += `\n\t${fetched.map((item) => serialize_data(item, !!state.prerendering)).join('\n\t')}`;
 	}
 
 	if (options.service_worker) {

package/src/runtime/server/page/serialize_data.js

@@ -35,10 +35,11 @@ const pattern = new RegExp(`[${Object.keys(replacements).join('')}]`, 'g');
  * and that the resulting string isn't further modified.
  *
  * @param {import('./types.js').Fetched} fetched
+ * @param {boolean} [prerendering]
  * @returns {string} The raw HTML of a script element carrying the JSON payload.
  * @example const html = serialize_data('/data.json', null, { foo: 'bar' });
  */
-export function serialize_data(fetched) {
+export function serialize_data(fetched, prerendering = false) {
 	const safe_payload = JSON.stringify(fetched.response).replace(
 		pattern,
 		(match) => replacements[match]
@@ -54,5 +55,18 @@ export function serialize_data(fetched) {
 		attrs.push(`data-hash=${escape_html_attr(hash(fetched.body))}`);
 	}
 
+	if (!prerendering && fetched.method === 'GET') {
+		const cache_control = /** @type {string} */ (fetched.response.headers['cache-control']);
+		if (cache_control) {
+			const match = /s-maxage=(\d+)/g.exec(cache_control) ?? /max-age=(\d+)/g.exec(cache_control);
+			if (match) {
+				const age = /** @type {string} */ (fetched.response.headers['age']) ?? '0';
+
+				const ttl = +match[1] - +age;
+				attrs.push(`data-ttl="${ttl}"`);
+			}
+		}
+	}
+
 	return `<script ${attrs.join(' ')}>${safe_payload}</script>`;
 }

package/src/runtime/server/page/types.d.ts

@@ -3,6 +3,7 @@ import { HttpError } from '../../control.js';
 
 export interface Fetched {
 	url: string;
+	method: string;
 	body?: string | null;
 	response: {
 		status: number;

package/types/ambient.d.ts

@@ -88,6 +88,7 @@ declare module '$app/environment' {
  * 	disableScrollHandling,
  * 	goto,
  * 	invalidate,
+ * 	invalidateAll,
  * 	prefetch,
  * 	prefetchRoutes
  * } from '$app/navigation';

package/types/index.d.ts

@@ -128,6 +128,9 @@ export interface KitConfig {
 		directives?: CspDirectives;
 		reportOnly?: CspDirectives;
 	};
+	csrf?: {
+		checkOrigin?: boolean;
+	};
 	env?: {
 		dir?: string;
 		publicPrefix?: string;

package/types/internal.d.ts

@@ -290,6 +290,9 @@ export type SSRNodeLoader = () => Promise<SSRNode>;
 
 export interface SSROptions {
 	csp: ValidatedConfig['kit']['csp'];
+	csrf: {
+		check_origin: boolean;
+	};
 	dev: boolean;
 	get_stack: (error: Error) => string | undefined;
 	handle_error(error: Error & { frame?: string }, event: RequestEvent): void;