@sveltejs/kit 1.0.0-next.469 → 1.0.0-next.471

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sveltejs/kit",
-  "version": "1.0.0-next.469",
+  "version": "1.0.0-next.471",
   "repository": {
     "type": "git",
     "url": "https://github.com/sveltejs/kit",
@@ -10,7 +10,7 @@
   "homepage": "https://kit.svelte.dev",
   "type": "module",
   "dependencies": {
-    "@sveltejs/vite-plugin-svelte": "^1.0.4",
+    "@sveltejs/vite-plugin-svelte": "^1.0.5",
     "cookie": "^0.5.0",
     "devalue": "^3.1.2",
     "kleur": "^4.1.4",
@@ -38,11 +38,11 @@
     "svelte-preprocess": "^4.10.6",
     "typescript": "^4.8.2",
     "uvu": "^0.5.3",
-    "vite": "^3.1.0-beta.2"
+    "vite": "^3.1.0"
   },
   "peerDependencies": {
     "svelte": "^3.44.0",
-    "vite": "^3.1.0-beta.1"
+    "vite": "^3.1.0"
   },
   "bin": {
     "svelte-kit": "svelte-kit.js"

package/src/core/env.js

@@ -24,8 +24,17 @@ export function create_static_module(id, env) {
 	return GENERATED_COMMENT + declarations.join('\n\n');
 }
 
-/** @param {'public' | 'private'} type */
-export function create_dynamic_module(type) {
+/**
+ * @param {'public' | 'private'} type
+ * @param {Record<string, string> | undefined} dev_values If in a development mode, values to pre-populate the module with.
+ */
+export function create_dynamic_module(type, dev_values) {
+	if (dev_values) {
+		const objectKeys = Object.entries(dev_values).map(
+			([k, v]) => `${JSON.stringify(k)}: ${JSON.stringify(v)}`
+		);
+		return `const env = {\n${objectKeys.join(',\n')}\n}\n\nexport { env }`;
+	}
 	return `export { env } from '${runtime_base}/env-${type}.js';`;
 }
 

package/src/core/prerender/prerender.js

@@ -237,10 +237,11 @@ export async function prerender() {
 			const encoded_dependency_path = new URL(dependency_path, 'http://localhost').pathname;
 			const decoded_dependency_path = decodeURI(encoded_dependency_path);
 
-			const prerender = result.response.headers.get('x-sveltekit-prerender');
+			const headers = Object.fromEntries(result.response.headers);
 
+			const prerender = headers['x-sveltekit-prerender'];
 			if (prerender) {
-				const route_id = /** @type {string} */ (result.response.headers.get('x-sveltekit-routeid'));
+				const route_id = headers['x-sveltekit-routeid'];
 				const existing_value = prerender_map.get(route_id);
 				if (existing_value !== 'auto') {
 					prerender_map.set(route_id, prerender === 'true' ? true : 'auto');
@@ -259,7 +260,10 @@ export async function prerender() {
 			);
 		}
 
-		if (config.prerender.crawl && response.headers.get('content-type') === 'text/html') {
+		// avoid triggering `filterSerializeResponseHeaders` guard
+		const headers = Object.fromEntries(response.headers);
+
+		if (config.prerender.crawl && headers['content-type'] === 'text/html') {
 			for (const href of crawl(body.toString())) {
 				if (href.startsWith('data:') || href.startsWith('#')) continue;
 
@@ -288,7 +292,9 @@ export async function prerender() {
 	 */
 	function save(category, response, body, decoded, encoded, referrer, referenceType) {
 		const response_type = Math.floor(response.status / 100);
-		const type = /** @type {string} */ (response.headers.get('content-type'));
+		const headers = Object.fromEntries(response.headers);
+
+		const type = headers['content-type'];
 		const is_html = response_type === REDIRECT || type === 'text/html';
 
 		const file = output_filename(decoded, is_html);
@@ -297,7 +303,7 @@ export async function prerender() {
 		if (written.has(file)) return;
 
 		if (response_type === REDIRECT) {
-			const location = response.headers.get('location');
+			const location = headers['location'];
 
 			if (location) {
 				const resolved = resolve(encoded, location);
@@ -305,7 +311,7 @@ export async function prerender() {
 					enqueue(decoded, decodeURI(resolved), resolved);
 				}
 
-				if (!response.headers.get('x-sveltekit-normalize')) {
+				if (!headers['x-sveltekit-normalize']) {
 					mkdirp(dirname(dest));
 
 					log.warn(`${response.status} ${decoded} -> ${location}`);

package/src/core/sync/create_manifest_data/index.js

@@ -103,6 +103,14 @@ function create_routes_and_nodes(cwd, config, fallback) {
 		 * @param {import('types').RouteData | null} parent
 		 */
 		const walk = (depth, id, segment, parent) => {
+			if (/\]\[/.test(id)) {
+				throw new Error(`Invalid route ${id} — parameters must be separated`);
+			}
+
+			if (count_occurrences('[', id) !== count_occurrences(']', id)) {
+				throw new Error(`Invalid route ${id} — brackets are unbalanced`);
+			}
+
 			const { pattern, names, types } = parse_route_id(id);
 
 			const segments = id.split('/');
@@ -450,3 +458,15 @@ function list_files(dir) {
 
 	return files;
 }
+
+/**
+ * @param {string} needle
+ * @param {string} haystack
+ */
+function count_occurrences(needle, haystack) {
+	let count = 0;
+	for (let i = 0; i < haystack.length; i += 1) {
+		if (haystack[i] === needle) count += 1;
+	}
+	return count;
+}

package/src/exports/vite/build/build_server.js

@@ -110,10 +110,16 @@ export class Server {
 
 		if (!this.options.hooks) {
 			const module = await import(${s(hooks)});
+
+			// TODO remove this for 1.0
+			if (module.externalFetch) {
+				throw new Error('externalFetch has been removed — use handleFetch instead. See https://github.com/sveltejs/kit/pull/6565 for details');
+			}
+
 			this.options.hooks = {
 				handle: module.handle || (({ event, resolve }) => resolve(event)),
 				handleError: module.handleError || (({ error }) => console.error(error.stack)),
-				externalFetch: module.externalFetch || fetch
+				handleFetch: module.handleFetch || (({ request, fetch }) => fetch(request))
 			};
 		}
 	}

package/src/exports/vite/dev/index.js

@@ -11,8 +11,9 @@ import { load_error_page, load_template } from '../../../core/config/index.js';
 import { SVELTE_KIT_ASSETS } from '../../../constants.js';
 import * as sync from '../../../core/sync/sync.js';
 import { get_mime_lookup, runtime_base, runtime_prefix } from '../../../core/utils.js';
-import { get_env, prevent_illegal_vite_imports, resolve_entry } from '../utils.js';
+import { prevent_illegal_vite_imports, resolve_entry } from '../utils.js';
 import { compact } from '../../../utils/array.js';
+import { normalizePath } from 'vite';
 
 // Vite doesn't expose this so we just copy the list for now
 // https://github.com/vitejs/vite/blob/3edd1af56e980aef56641a5a51cf2932bb580d41/packages/vite/src/node/plugins/css.ts#L96
@@ -24,10 +25,9 @@ const cwd = process.cwd();
  * @param {import('vite').ViteDevServer} vite
  * @param {import('vite').ResolvedConfig} vite_config
  * @param {import('types').ValidatedConfig} svelte_config
- * @param {Set<string>} illegal_imports
  * @return {Promise<Promise<() => void>>}
  */
-export async function dev(vite, vite_config, svelte_config, illegal_imports) {
+export async function dev(vite, vite_config, svelte_config) {
 	installPolyfills();
 
 	sync.init(svelte_config, vite_config.mode);
@@ -90,7 +90,11 @@ export async function dev(vite, vite_config, svelte_config, illegal_imports) {
 								module_nodes.push(module_node);
 								result.file = url.endsWith('.svelte') ? url : url + '?import'; // TODO what is this for?
 
-								prevent_illegal_vite_imports(module_node, illegal_imports, extensions);
+								prevent_illegal_vite_imports(
+									module_node,
+									normalizePath(svelte_config.kit.files.lib),
+									extensions
+								);
 
 								return module.default;
 							};
@@ -103,7 +107,11 @@ export async function dev(vite, vite_config, svelte_config, illegal_imports) {
 
 							result.shared = module;
 
-							prevent_illegal_vite_imports(module_node, illegal_imports, extensions);
+							prevent_illegal_vite_imports(
+								module_node,
+								normalizePath(svelte_config.kit.files.lib),
+								extensions
+							);
 						}
 
 						if (node.server) {
@@ -269,13 +277,6 @@ export async function dev(vite, vite_config, svelte_config, illegal_imports) {
 		}
 	});
 
-	const { set_private_env } = await vite.ssrLoadModule(`${runtime_base}/env-private.js`);
-	const { set_public_env } = await vite.ssrLoadModule(`${runtime_base}/env-public.js`);
-
-	const env = get_env(svelte_config.kit.env, vite_config.mode);
-	set_private_env(env.private);
-	set_public_env(env.public);
-
 	return () => {
 		const serve_static_middleware = vite.middlewares.stack.find(
 			(middleware) =>
@@ -317,6 +318,14 @@ export async function dev(vite, vite_config, svelte_config, illegal_imports) {
 
 				const handle = user_hooks.handle || (({ event, resolve }) => resolve(event));
 
+				// TODO remove for 1.0
+				// @ts-expect-error
+				if (user_hooks.externalFetch) {
+					throw new Error(
+						'externalFetch has been removed — use handleFetch instead. See https://github.com/sveltejs/kit/pull/6565 for details'
+					);
+				}
+
 				/** @type {import('types').Hooks} */
 				const hooks = {
 					handle,
@@ -331,7 +340,7 @@ export async function dev(vite, vite_config, svelte_config, illegal_imports) {
 								console.error(colors.gray(error.stack));
 							}
 						}),
-					externalFetch: user_hooks.externalFetch || fetch
+					handleFetch: user_hooks.handleFetch || (({ request, fetch }) => fetch(request))
 				};
 
 				if (/** @type {any} */ (hooks).getContext) {
@@ -411,7 +420,7 @@ export async function dev(vite, vite_config, svelte_config, illegal_imports) {
 							base: svelte_config.kit.paths.base,
 							assets
 						},
-						public_env: env.public,
+						public_env: {},
 						read: (file) => fs.readFileSync(path.join(svelte_config.kit.files.assets, file)),
 						root,
 						app_template: ({ head, body, assets, nonce }) => {

package/src/exports/vite/index.js

@@ -103,9 +103,6 @@ function kit() {
 	/** @type {import('types').BuildData} */
 	let build_data;
 
-	/** @type {Set<string>} */
-	let illegal_imports;
-
 	/** @type {string | undefined} */
 	let deferred_warning;
 
@@ -212,13 +209,6 @@ function kit() {
 				client_out_dir: `${svelte_config.kit.outDir}/output/client`
 			};
 
-			illegal_imports = new Set([
-				'/@id/__x00__$env/dynamic/private', //dev
-				'\0$env/dynamic/private', // prod
-				'/@id/__x00__$env/static/private', // dev
-				'\0$env/static/private' // prod
-			]);
-
 			if (is_build) {
 				manifest_data = (await sync.all(svelte_config, config_env.mode)).manifest_data;
 
@@ -299,9 +289,15 @@ function kit() {
 				case '\0$env/static/public':
 					return create_static_module('$env/static/public', env.public);
 				case '\0$env/dynamic/private':
-					return create_dynamic_module('private');
+					return create_dynamic_module(
+						'private',
+						vite_config_env.command === 'serve' ? env.private : undefined
+					);
 				case '\0$env/dynamic/public':
-					return create_dynamic_module('public');
+					return create_dynamic_module(
+						'public',
+						vite_config_env.command === 'serve' ? env.public : undefined
+					);
 			}
 		},
 
@@ -355,7 +351,7 @@ function kit() {
 						prevent_illegal_rollup_imports(
 							this.getModuleInfo.bind(this),
 							module_node,
-							illegal_imports
+							vite.normalizePath(svelte_config.kit.files.lib)
 						);
 					}
 				});
@@ -511,7 +507,7 @@ function kit() {
 				if (deferred_warning) console.error('\n' + deferred_warning);
 			};
 
-			return await dev(vite, vite_config, svelte_config, illegal_imports);
+			return await dev(vite, vite_config, svelte_config);
 		},
 
 		/**

package/src/exports/vite/utils.js

@@ -4,6 +4,26 @@ import { loadConfigFromFile, loadEnv, normalizePath } from 'vite';
 import { runtime_directory } from '../../core/utils.js';
 import { posixify } from '../../utils/filesystem.js';
 
+const illegal_imports = new Set([
+	'/@id/__x00__$env/dynamic/private', //dev
+	'\0$env/dynamic/private', // prod
+	'/@id/__x00__$env/static/private', // dev
+	'\0$env/static/private' // prod
+]);
+
+/** @param {string} id */
+function is_illegal(id) {
+	if (illegal_imports.has(id)) return true;
+
+	// files outside the project root are ignored
+	if (!id.startsWith(normalizePath(process.cwd()))) return false;
+
+	// so are files inside node_modules
+	if (id.startsWith(normalizePath(node_modules_dir))) return false;
+
+	return /.*\.server\..+/.test(path.basename(id));
+}
+
 /**
  * @param {import('vite').ResolvedConfig} config
  * @param {import('vite').ConfigEnv} config_env
@@ -183,8 +203,9 @@ function repeat(str, times) {
 /**
  * Create a formatted error for an illegal import.
  * @param {Array<{name: string, dynamic: boolean}>} stack
+ * @param {string} lib_dir
  */
-function format_illegal_import_chain(stack) {
+function format_illegal_import_chain(stack, lib_dir) {
 	const dev_virtual_prefix = '/@id/__x00__';
 	const prod_virtual_prefix = '\0';
 
@@ -195,6 +216,9 @@ function format_illegal_import_chain(stack) {
 		if (file.name.startsWith(prod_virtual_prefix)) {
 			return { ...file, name: file.name.replace(prod_virtual_prefix, '') };
 		}
+		if (file.name.startsWith(lib_dir)) {
+			return { ...file, name: file.name.replace(lib_dir, '$lib') };
+		}
 
 		return { ...file, name: path.relative(process.cwd(), file.name) };
 	});
@@ -211,6 +235,8 @@ function format_illegal_import_chain(stack) {
 	return `Cannot import ${stack.at(-1)?.name} into client-side code:\n${pyramid}`;
 }
 
+const node_modules_dir = path.resolve(process.cwd(), 'node_modules');
+
 /**
  * Load environment variables from process.env and .env files
  * @param {import('types').ValidatedKitConfig['env']} env_config
@@ -228,11 +254,11 @@ export function get_env(env_config, mode) {
 /**
  * @param {(id: string) => import('rollup').ModuleInfo | null} node_getter
  * @param {import('rollup').ModuleInfo} node
- * @param {Set<string>} illegal_imports Illegal module IDs -- be sure to call vite.normalizePath!
+ * @param {string} lib_dir
  */
-export function prevent_illegal_rollup_imports(node_getter, node, illegal_imports) {
-	const chain = find_illegal_rollup_imports(node_getter, node, false, illegal_imports);
-	if (chain) throw new Error(format_illegal_import_chain(chain));
+export function prevent_illegal_rollup_imports(node_getter, node, lib_dir) {
+	const chain = find_illegal_rollup_imports(node_getter, node, false);
+	if (chain) throw new Error(format_illegal_import_chain(chain, lib_dir));
 }
 
 const query_pattern = /\?.*$/s;
@@ -246,36 +272,27 @@ function remove_query_from_path(path) {
  * @param {(id: string) => import('rollup').ModuleInfo | null} node_getter
  * @param {import('rollup').ModuleInfo} node
  * @param {boolean} dynamic
- * @param {Set<string>} illegal_imports Illegal module IDs -- be sure to call vite.normalizePath!
  * @param {Set<string>} seen
  * @returns {Array<import('types').ImportNode> | null}
  */
-const find_illegal_rollup_imports = (
-	node_getter,
-	node,
-	dynamic,
-	illegal_imports,
-	seen = new Set()
-) => {
+const find_illegal_rollup_imports = (node_getter, node, dynamic, seen = new Set()) => {
 	const name = remove_query_from_path(normalizePath(node.id));
 	if (seen.has(name)) return null;
 	seen.add(name);
 
-	if (illegal_imports.has(name)) {
+	if (is_illegal(name)) {
 		return [{ name, dynamic }];
 	}
 
 	for (const id of node.importedIds) {
 		const child = node_getter(id);
-		const chain =
-			child && find_illegal_rollup_imports(node_getter, child, false, illegal_imports, seen);
+		const chain = child && find_illegal_rollup_imports(node_getter, child, false, seen);
 		if (chain) return [{ name, dynamic }, ...chain];
 	}
 
 	for (const id of node.dynamicallyImportedIds) {
 		const child = node_getter(id);
-		const chain =
-			child && find_illegal_rollup_imports(node_getter, child, true, illegal_imports, seen);
+		const chain = child && find_illegal_rollup_imports(node_getter, child, true, seen);
 		if (chain) return [{ name, dynamic }, ...chain];
 	}
 
@@ -308,22 +325,21 @@ const get_module_types = (config_module_types) => {
 /**
  * Throw an error if a private module is imported from a client-side node.
  * @param {import('vite').ModuleNode} node
- * @param {Set<string>} illegal_imports Illegal module IDs -- be sure to call vite.normalizePath!
+ * @param {string} lib_dir
  * @param {Iterable<string>} module_types File extensions to analyze in addition to the defaults: `.ts`, `.js`, etc.
  */
-export function prevent_illegal_vite_imports(node, illegal_imports, module_types) {
-	const chain = find_illegal_vite_imports(node, illegal_imports, get_module_types(module_types));
-	if (chain) throw new Error(format_illegal_import_chain(chain));
+export function prevent_illegal_vite_imports(node, lib_dir, module_types) {
+	const chain = find_illegal_vite_imports(node, get_module_types(module_types));
+	if (chain) throw new Error(format_illegal_import_chain(chain, lib_dir));
 }
 
 /**
  * @param {import('vite').ModuleNode} node
- * @param {Set<string>} illegal_imports Illegal module IDs -- be sure to call vite.normalizePath!
  * @param {Set<string>} module_types File extensions to analyze: `.ts`, `.js`, etc.
  * @param {Set<string>} seen
  * @returns {Array<import('types').ImportNode> | null}
  */
-function find_illegal_vite_imports(node, illegal_imports, module_types, seen = new Set()) {
+function find_illegal_vite_imports(node, module_types, seen = new Set()) {
 	if (!node.id) return null; // TODO when does this happen?
 	const name = remove_query_from_path(normalizePath(node.id));
 
@@ -332,12 +348,12 @@ function find_illegal_vite_imports(node, illegal_imports, module_types, seen = n
 	}
 	seen.add(name);
 
-	if (name && illegal_imports.has(name)) {
+	if (is_illegal(name)) {
 		return [{ name, dynamic: false }];
 	}
 
 	for (const child of node.importedModules) {
-		const chain = child && find_illegal_vite_imports(child, illegal_imports, module_types, seen);
+		const chain = child && find_illegal_vite_imports(child, module_types, seen);
 		if (chain) return [{ name, dynamic: false }, ...chain];
 	}
 

package/src/runtime/server/index.js

@@ -14,6 +14,8 @@ import { DATA_SUFFIX } from '../../constants.js';
 /** @param {{ html: string }} opts */
 const default_transform = ({ html }) => html;
 
+const default_filter = () => false;
+
 /** @type {import('types').Respond} */
 export async function respond(request, options, state) {
 	let url = new URL(request.url);
@@ -201,7 +203,8 @@ export async function respond(request, options, state) {
 
 	/** @type {import('types').RequiredResolveOptions} */
 	let resolve_opts = {
-		transformPageChunk: default_transform
+		transformPageChunk: default_transform,
+		filterSerializedResponseHeaders: default_filter
 	};
 
 	/**
@@ -226,7 +229,8 @@ export async function respond(request, options, state) {
 				}
 
 				resolve_opts = {
-					transformPageChunk: opts.transformPageChunk || default_transform
+					transformPageChunk: opts.transformPageChunk || default_transform,
+					filterSerializedResponseHeaders: opts.filterSerializedResponseHeaders || default_filter
 				};
 			}
 

package/src/runtime/server/page/fetch.js

@@ -1,7 +1,6 @@
 import * as cookie from 'cookie';
 import * as set_cookie_parser from 'set-cookie-parser';
 import { respond } from '../index.js';
-import { is_root_relative, resolve } from '../../../utils/url.js';
 import { domain_matches, path_matches } from './cookie.js';
 
 /**
@@ -11,194 +10,175 @@ import { domain_matches, path_matches } from './cookie.js';
  *   state: import('types').SSRState;
  *   route: import('types').SSRRoute | import('types').SSRErrorPage;
  *   prerender_default?: import('types').PrerenderOption;
+ *   resolve_opts: import('types').RequiredResolveOptions;
  * }} opts
  */
-export function create_fetch({ event, options, state, route, prerender_default }) {
+export function create_fetch({ event, options, state, route, prerender_default, resolve_opts }) {
 	/** @type {import('./types').Fetched[]} */
 	const fetched = [];
 
 	const initial_cookies = cookie.parse(event.request.headers.get('cookie') || '');
 
 	/** @type {import('set-cookie-parser').Cookie[]} */
-	const cookies = [];
+	const set_cookies = [];
 
-	/** @type {typeof fetch} */
-	const fetcher = async (resource, opts = {}) => {
-		/** @type {string} */
-		let requested;
-
-		if (typeof resource === 'string' || resource instanceof URL) {
-			requested = resource.toString();
-		} else {
-			requested = resource.url;
-
-			opts = {
-				method: resource.method,
-				headers: resource.headers,
-				body: resource.body,
-				mode: resource.mode,
-				credentials: resource.credentials,
-				cache: resource.cache,
-				redirect: resource.redirect,
-				referrer: resource.referrer,
-				integrity: resource.integrity,
-				...opts
-			};
-		}
+	/**
+	 * @param {URL} url
+	 * @param {string | null} header
+	 */
+	function get_cookie_header(url, header) {
+		/** @type {Record<string, string>} */
+		const new_cookies = {};
 
-		opts.headers = new Headers(opts.headers);
-
-		// merge headers from request
-		for (const [key, value] of event.request.headers) {
-			if (
-				key !== 'authorization' &&
-				key !== 'connection' &&
-				key !== 'content-length' &&
-				key !== 'cookie' &&
-				key !== 'host' &&
-				key !== 'if-none-match' &&
-				!opts.headers.has(key)
-			) {
-				opts.headers.set(key, value);
-			}
+		for (const cookie of set_cookies) {
+			if (!domain_matches(url.hostname, cookie.domain)) continue;
+			if (!path_matches(url.pathname, cookie.path)) continue;
+
+			new_cookies[cookie.name] = cookie.value;
 		}
 
-		const resolved = resolve(event.url.pathname, requested.split('?')[0]).replace(/#.+$/, '');
+		// cookies from explicit `cookie` header take precedence over cookies previously set
+		// during this load with `set-cookie`, which take precedence over the cookies
+		// sent by the user agent
+		const combined_cookies = {
+			...initial_cookies,
+			...new_cookies,
+			...cookie.parse(header ?? '')
+		};
+
+		return Object.entries(combined_cookies)
+			.map(([name, value]) => `${name}=${value}`)
+			.join('; ');
+	}
+
+	/** @type {typeof fetch} */
+	const fetcher = async (info, init) => {
+		const request = normalize_fetch_input(info, init, event.url);
 
-		/** @type {Response} */
-		let response;
+		const request_body = init?.body;
 
 		/** @type {import('types').PrerenderDependency} */
 		let dependency;
 
-		// handle fetch requests for static assets. e.g. prebaked data, etc.
-		// we need to support everything the browser's fetch supports
-		const prefix = options.paths.assets || options.paths.base;
-		const filename = decodeURIComponent(
-			resolved.startsWith(prefix) ? resolved.slice(prefix.length) : resolved
-		).slice(1);
-		const filename_html = `${filename}/index.html`; // path may also match path/index.html
+		const response = await options.hooks.handleFetch({
+			event,
+			request,
+			fetch: async (info, init) => {
+				const request = normalize_fetch_input(info, init, event.url);
 
-		const is_asset = options.manifest.assets.has(filename);
-		const is_asset_html = options.manifest.assets.has(filename_html);
+				const url = new URL(request.url);
 
-		if (is_asset || is_asset_html) {
-			const file = is_asset ? filename : filename_html;
+				if (url.origin !== event.url.origin) {
+					// allow cookie passthrough for "same-origin"
+					// if SvelteKit is serving my.domain.com:
+					// -        domain.com WILL NOT receive cookies
+					// -     my.domain.com WILL receive cookies
+					// -    api.domain.dom WILL NOT receive cookies
+					// - sub.my.domain.com WILL receive cookies
+					// ports do not affect the resolution
+					// leading dot prevents mydomain.com matching domain.com
+					if (
+						`.${url.hostname}`.endsWith(`.${event.url.hostname}`) &&
+						request.credentials !== 'omit'
+					) {
+						const cookie = get_cookie_header(url, request.headers.get('cookie'));
+						if (cookie) request.headers.set('cookie', cookie);
+					}
 
-			if (options.read) {
-				const type = is_asset
-					? options.manifest.mimeTypes[filename.slice(filename.lastIndexOf('.'))]
-					: 'text/html';
+					let response = await fetch(request);
 
-				response = new Response(options.read(file), {
-					headers: type ? { 'content-type': type } : {}
-				});
-			} else {
-				response = await fetch(`${event.url.origin}/${file}`, /** @type {RequestInit} */ (opts));
-			}
-		} else if (is_root_relative(resolved)) {
-			if (opts.credentials !== 'omit') {
-				const authorization = event.request.headers.get('authorization');
+					if (request.mode === 'no-cors') {
+						response = new Response('', {
+							status: response.status,
+							statusText: response.statusText,
+							headers: response.headers
+						});
+					} else {
+						if (url.origin !== event.url.origin) {
+							const acao = response.headers.get('access-control-allow-origin');
+							if (!acao || (acao !== event.url.origin && acao !== '*')) {
+								throw new Error(
+									`CORS error: ${
+										acao ? 'Incorrect' : 'No'
+									} 'Access-Control-Allow-Origin' header is present on the requested resource`
+								);
+							}
+						}
+					}
 
-				// combine cookies from the initiating request with any that were
-				// added via set-cookie
-				const combined_cookies = { ...initial_cookies };
+					return response;
+				}
 
-				for (const cookie of cookies) {
-					if (!domain_matches(event.url.hostname, cookie.domain)) continue;
-					if (!path_matches(resolved, cookie.path)) continue;
+				/** @type {Response} */
+				let response;
 
-					combined_cookies[cookie.name] = cookie.value;
-				}
+				// handle fetch requests for static assets. e.g. prebaked data, etc.
+				// we need to support everything the browser's fetch supports
+				const prefix = options.paths.assets || options.paths.base;
+				const decoded = decodeURIComponent(url.pathname);
+				const filename = (
+					decoded.startsWith(prefix) ? decoded.slice(prefix.length) : decoded
+				).slice(1);
+				const filename_html = `${filename}/index.html`; // path may also match path/index.html
 
-				const cookie = Object.entries(combined_cookies)
-					.map(([name, value]) => `${name}=${value}`)
-					.join('; ');
+				const is_asset = options.manifest.assets.has(filename);
+				const is_asset_html = options.manifest.assets.has(filename_html);
 
-				if (cookie) {
-					opts.headers.set('cookie', cookie);
-				}
+				if (is_asset || is_asset_html) {
+					const file = is_asset ? filename : filename_html;
 
-				if (authorization && !opts.headers.has('authorization')) {
-					opts.headers.set('authorization', authorization);
-				}
-			}
+					if (options.read) {
+						const type = is_asset
+							? options.manifest.mimeTypes[filename.slice(filename.lastIndexOf('.'))]
+							: 'text/html';
 
-			if (opts.body && typeof opts.body !== 'string') {
-				// per https://developer.mozilla.org/en-US/docs/Web/API/Request/Request, this can be a
-				// Blob, BufferSource, FormData, URLSearchParams, USVString, or ReadableStream object.
-				// non-string bodies are irksome to deal with, but luckily aren't particularly useful
-				// in this context anyway, so we take the easy route and ban them
-				throw new Error('Request body must be a string');
-			}
+						return new Response(options.read(file), {
+							headers: type ? { 'content-type': type } : {}
+						});
+					}
 
-			response = await respond(
-				new Request(new URL(requested, event.url).href, { ...opts }),
-				options,
-				{
-					prerender_default,
-					...state,
-					initiator: route
+					return await fetch(request);
 				}
-			);
-
-			if (state.prerendering) {
-				dependency = { response, body: null };
-				state.prerendering.dependencies.set(resolved, dependency);
-			}
-		} else {
-			// external
-			if (resolved.startsWith('//')) {
-				requested = event.url.protocol + requested;
-			}
 
-			const url = new URL(requested);
-
-			// external fetch
-			// allow cookie passthrough for "same-origin"
-			// if SvelteKit is serving my.domain.com:
-			// -        domain.com WILL NOT receive cookies
-			// -     my.domain.com WILL receive cookies
-			// -    api.domain.dom WILL NOT receive cookies
-			// - sub.my.domain.com WILL receive cookies
-			// ports do not affect the resolution
-			// leading dot prevents mydomain.com matching domain.com
-			if (`.${url.hostname}`.endsWith(`.${event.url.hostname}`) && opts.credentials !== 'omit') {
-				const cookie = event.request.headers.get('cookie');
-				if (cookie) opts.headers.set('cookie', cookie);
-			}
+				if (request.credentials !== 'omit') {
+					const cookie = get_cookie_header(url, request.headers.get('cookie'));
+					if (cookie) {
+						request.headers.set('cookie', cookie);
+					}
 
-			// we need to delete the connection header, as explained here:
-			// https://github.com/nodejs/undici/issues/1470#issuecomment-1140798467
-			// TODO this may be a case for being selective about which headers we let through
-			opts.headers.delete('connection');
+					const authorization = event.request.headers.get('authorization');
+					if (authorization && !request.headers.has('authorization')) {
+						request.headers.set('authorization', authorization);
+					}
+				}
 
-			const external_request = new Request(requested, /** @type {RequestInit} */ (opts));
-			response = await options.hooks.externalFetch.call(null, external_request);
+				if (request_body && typeof request_body !== 'string') {
+					// TODO is this still necessary? we just bail out below
+					// per https://developer.mozilla.org/en-US/docs/Web/API/Request/Request, this can be a
+					// Blob, BufferSource, FormData, URLSearchParams, USVString, or ReadableStream object.
+					// non-string bodies are irksome to deal with, but luckily aren't particularly useful
+					// in this context anyway, so we take the easy route and ban them
+					throw new Error('Request body must be a string');
+				}
 
-			if (opts.mode === 'no-cors') {
-				response = new Response('', {
-					status: response.status,
-					statusText: response.statusText,
-					headers: response.headers
+				response = await respond(request, options, {
+					prerender_default,
+					...state,
+					initiator: route
 				});
-			} else {
-				if (url.origin !== event.url.origin) {
-					const acao = response.headers.get('access-control-allow-origin');
-					if (!acao || (acao !== event.url.origin && acao !== '*')) {
-						throw new Error(
-							`CORS error: ${
-								acao ? 'Incorrect' : 'No'
-							} 'Access-Control-Allow-Origin' header is present on the requested resource`
-						);
-					}
+
+				if (state.prerendering) {
+					dependency = { response, body: null };
+					state.prerendering.dependencies.set(url.pathname, dependency);
 				}
+
+				return response;
 			}
-		}
+		});
 
 		const set_cookie = response.headers.get('set-cookie');
 		if (set_cookie) {
-			cookies.push(
+			set_cookies.push(
 				...set_cookie_parser
 					.splitCookiesString(set_cookie)
 					.map((str) => set_cookie_parser.parseString(str))
@@ -210,17 +190,7 @@ export function create_fetch({ event, options, state, route, prerender_default }
 				async function text() {
 					const body = await response.text();
 
-					// TODO just pass `response.headers`, for processing inside `serialize_data`
-					/** @type {import('types').ResponseHeaders} */
-					const headers = {};
-					for (const [key, value] of response.headers) {
-						// TODO skip others besides set-cookie and etag?
-						if (key !== 'set-cookie' && key !== 'etag') {
-							headers[key] = value;
-						}
-					}
-
-					if (!opts.body || typeof opts.body === 'string') {
+					if (!body || typeof body === 'string') {
 						const status_number = Number(response.status);
 						if (isNaN(status_number)) {
 							throw new Error(
@@ -231,16 +201,31 @@ export function create_fetch({ event, options, state, route, prerender_default }
 						}
 
 						fetched.push({
-							url: requested,
-							method: opts.method || 'GET',
-							body: opts.body,
-							response: {
-								status: status_number,
-								statusText: response.statusText,
-								headers,
-								body
-							}
+							url: request.url.startsWith(event.url.origin)
+								? request.url.slice(event.url.origin.length)
+								: request.url,
+							method: request.method,
+							request_body: /** @type {string | undefined} */ (request_body),
+							response_body: body,
+							response: response
 						});
+
+						// ensure that excluded headers can't be read
+						const get = response.headers.get;
+						response.headers.get = (key) => {
+							const lower = key.toLowerCase();
+							const value = get.call(response.headers, lower);
+							if (value && !lower.startsWith('x-sveltekit-')) {
+								const included = resolve_opts.filterSerializedResponseHeaders(lower, value);
+								if (!included) {
+									throw new Error(
+										`Failed to get response header "${lower}" — it must be included by the \`filterSerializedResponseHeaders\` option: https://kit.svelte.dev/docs/hooks#handle`
+									);
+								}
+							}
+
+							return value;
+						};
 					}
 
 					if (dependency) {
@@ -284,5 +269,18 @@ export function create_fetch({ event, options, state, route, prerender_default }
 		return proxy;
 	};
 
-	return { fetcher, fetched, cookies };
+	return { fetcher, fetched, cookies: set_cookies };
+}
+
+/**
+ * @param {RequestInfo | URL} info
+ * @param {RequestInit | undefined} init
+ * @param {URL} url
+ */
+function normalize_fetch_input(info, init, url) {
+	if (info instanceof Request) {
+		return info;
+	}
+
+	return new Request(typeof info === 'string' ? new URL(info, url) : info, init);
 }

package/src/runtime/server/page/index.js

@@ -131,7 +131,8 @@ export async function render_page(event, route, page, options, state, resolve_op
 			options,
 			state,
 			route,
-			prerender_default: should_prerender
+			prerender_default: should_prerender,
+			resolve_opts
 		});
 
 		if (get_option(nodes, 'ssr') === false) {

package/src/runtime/server/page/render.js

@@ -284,7 +284,11 @@ export async function render_response({
 	}
 
 	if (page_config.ssr && page_config.csr) {
-		body += `\n\t${fetched.map((item) => serialize_data(item, !!state.prerendering)).join('\n\t')}`;
+		body += `\n\t${fetched
+			.map((item) =>
+				serialize_data(item, resolve_opts.filterSerializedResponseHeaders, !!state.prerendering)
+			)
+			.join('\n\t')}`;
 	}
 
 	if (options.service_worker) {
@@ -321,6 +325,7 @@ export async function render_response({
 		})) || '';
 
 	const headers = new Headers({
+		'x-sveltekit-page': 'true',
 		'content-type': 'text/html',
 		etag: `"${hash(html)}"`
 	});

package/src/runtime/server/page/respond_with_error.js

@@ -25,7 +25,8 @@ export async function respond_with_error({ event, options, state, status, error,
 		event,
 		options,
 		state,
-		route: GENERIC_ERROR
+		route: GENERIC_ERROR,
+		resolve_opts
 	});
 
 	try {

package/src/runtime/server/page/serialize_data.js

@@ -35,15 +35,35 @@ const pattern = new RegExp(`[${Object.keys(replacements).join('')}]`, 'g');
  * and that the resulting string isn't further modified.
  *
  * @param {import('./types.js').Fetched} fetched
+ * @param {(name: string, value: string) => boolean} filter
  * @param {boolean} [prerendering]
  * @returns {string} The raw HTML of a script element carrying the JSON payload.
  * @example const html = serialize_data('/data.json', null, { foo: 'bar' });
  */
-export function serialize_data(fetched, prerendering = false) {
-	const safe_payload = JSON.stringify(fetched.response).replace(
-		pattern,
-		(match) => replacements[match]
-	);
+export function serialize_data(fetched, filter, prerendering = false) {
+	/** @type {Record<string, string>} */
+	const headers = {};
+
+	let cache_control = null;
+	let age = null;
+
+	for (const [key, value] of fetched.response.headers) {
+		if (filter(key, value)) {
+			headers[key] = value;
+		}
+
+		if (key === 'cache-control') cache_control = value;
+		if (key === 'age') age = value;
+	}
+
+	const payload = {
+		status: fetched.response.status,
+		statusText: fetched.response.statusText,
+		headers,
+		body: fetched.response_body
+	};
+
+	const safe_payload = JSON.stringify(payload).replace(pattern, (match) => replacements[match]);
 
 	const attrs = [
 		'type="application/json"',
@@ -51,20 +71,15 @@ export function serialize_data(fetched, prerendering = false) {
 		`data-url=${escape_html_attr(fetched.url)}`
 	];
 
-	if (fetched.body) {
-		attrs.push(`data-hash=${escape_html_attr(hash(fetched.body))}`);
+	if (fetched.request_body) {
+		attrs.push(`data-hash=${escape_html_attr(hash(fetched.request_body))}`);
 	}
 
-	if (!prerendering && fetched.method === 'GET') {
-		const cache_control = /** @type {string} */ (fetched.response.headers['cache-control']);
-		if (cache_control) {
-			const match = /s-maxage=(\d+)/g.exec(cache_control) ?? /max-age=(\d+)/g.exec(cache_control);
-			if (match) {
-				const age = /** @type {string} */ (fetched.response.headers['age']) ?? '0';
-
-				const ttl = +match[1] - +age;
-				attrs.push(`data-ttl="${ttl}"`);
-			}
+	if (!prerendering && fetched.method === 'GET' && cache_control) {
+		const match = /s-maxage=(\d+)/g.exec(cache_control) ?? /max-age=(\d+)/g.exec(cache_control);
+		if (match) {
+			const ttl = +match[1] - +(age ?? '0');
+			attrs.push(`data-ttl="${ttl}"`);
 		}
 	}
 

package/src/runtime/server/page/types.d.ts

@@ -1,16 +1,12 @@
-import { ResponseHeaders, SSRNode, CspDirectives } from 'types';
+import { SSRNode, CspDirectives } from 'types';
 import { HttpError } from '../../control.js';
 
 export interface Fetched {
 	url: string;
 	method: string;
-	body?: string | null;
-	response: {
-		status: number;
-		statusText: string;
-		headers: ResponseHeaders;
-		body: string;
-	};
+	request_body?: string | null;
+	response_body: string;
+	response: Response;
 }
 
 export interface FetchState {

package/src/utils/routing.js

@@ -12,14 +12,6 @@ export function parse_route_id(id) {
 	// const add_trailing_slash = !/\.[a-z]+$/.test(key);
 	let add_trailing_slash = true;
 
-	if (/\]\[/.test(id)) {
-		throw new Error(`Invalid route ${id} — parameters must be separated`);
-	}
-
-	if (count_occurrences('[', id) !== count_occurrences(']', id)) {
-		throw new Error(`Invalid route ${id} — brackets are unbalanced`);
-	}
-
 	const pattern =
 		id === ''
 			? /^\/$/
@@ -123,15 +115,3 @@ export function exec(match, names, types, matchers) {
 
 	return params;
 }
-
-/**
- * @param {string} needle
- * @param {string} haystack
- */
-function count_occurrences(needle, haystack) {
-	let count = 0;
-	for (let i = 0; i < haystack.length; i += 1) {
-		if (haystack[i] === needle) count += 1;
-	}
-	return count;
-}

package/types/index.d.ts

@@ -176,10 +176,6 @@ export interface KitConfig {
 	};
 }
 
-export interface ExternalFetch {
-	(req: Request): Promise<Response>;
-}
-
 export interface Handle {
 	(input: {
 		event: RequestEvent;
@@ -191,6 +187,10 @@ export interface HandleError {
 	(input: { error: Error & { frame?: string }; event: RequestEvent }): void;
 }
 
+export interface HandleFetch {
+	(input: { event: RequestEvent; request: Request; fetch: typeof fetch }): MaybePromise<Response>;
+}
+
 /**
  * The generic form of `PageLoad` and `LayoutLoad`. You should import those from `./$types` (see [generated types](https://kit.svelte.dev/docs/types#generated-types))
  * rather than using `Load` directly.
@@ -273,6 +273,7 @@ export interface RequestHandler<
 
 export interface ResolveOptions {
 	transformPageChunk?: (input: { html: string; done: boolean }) => MaybePromise<string | undefined>;
+	filterSerializedResponseHeaders?: (name: string, value: string) => boolean;
 }
 
 export class Server {

package/types/internal.d.ts

@@ -3,7 +3,6 @@ import { SvelteComponent } from 'svelte/internal';
 import {
 	Action,
 	Config,
-	ExternalFetch,
 	ServerLoad,
 	Handle,
 	HandleError,
@@ -14,7 +13,8 @@ import {
 	ResolveOptions,
 	Server,
 	ServerInitOptions,
-	SSRManifest
+	SSRManifest,
+	HandleFetch
 } from './index.js';
 import {
 	HttpMethod,
@@ -90,9 +90,9 @@ export type CSRRoute = {
 export type GetParams = (match: RegExpExecArray) => Record<string, string>;
 
 export interface Hooks {
-	externalFetch: ExternalFetch;
 	handle: Handle;
 	handleError: HandleError;
+	handleFetch: HandleFetch;
 }
 
 export interface ImportNode {