@sveltejs/kit 1.15.0 → 1.15.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +2 -2
- package/src/runtime/server/respond.js +6 -3
- package/src/utils/http.js +10 -3
- package/types/index.d.ts +3 -3
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@sveltejs/kit",
|
|
3
|
-
"version": "1.15.
|
|
3
|
+
"version": "1.15.2",
|
|
4
4
|
"repository": {
|
|
5
5
|
"type": "git",
|
|
6
6
|
"url": "https://github.com/sveltejs/kit",
|
|
@@ -22,7 +22,7 @@
|
|
|
22
22
|
"set-cookie-parser": "^2.5.1",
|
|
23
23
|
"sirv": "^2.0.2",
|
|
24
24
|
"tiny-glob": "^0.2.9",
|
|
25
|
-
"undici": "5.
|
|
25
|
+
"undici": "5.20.0"
|
|
26
26
|
},
|
|
27
27
|
"devDependencies": {
|
|
28
28
|
"@playwright/test": "^1.29.2",
|
|
@@ -51,9 +51,12 @@ export async function respond(request, options, manifest, state) {
|
|
|
51
51
|
|
|
52
52
|
if (options.csrf_check_origin) {
|
|
53
53
|
const forbidden =
|
|
54
|
-
request
|
|
55
|
-
request.
|
|
56
|
-
|
|
54
|
+
is_form_content_type(request) &&
|
|
55
|
+
(request.method === 'POST' ||
|
|
56
|
+
request.method === 'PUT' ||
|
|
57
|
+
request.method === 'PATCH' ||
|
|
58
|
+
request.method === 'DELETE') &&
|
|
59
|
+
request.headers.get('origin') !== url.origin;
|
|
57
60
|
|
|
58
61
|
if (forbidden) {
|
|
59
62
|
const csrf_error = error(403, `Cross-site ${request.method} form submissions are forbidden`);
|
package/src/utils/http.js
CHANGED
|
@@ -59,14 +59,21 @@ export function negotiate(accept, types) {
|
|
|
59
59
|
* @param {Request} request
|
|
60
60
|
* @param {...string} types
|
|
61
61
|
*/
|
|
62
|
-
|
|
62
|
+
function is_content_type(request, ...types) {
|
|
63
63
|
const type = request.headers.get('content-type')?.split(';', 1)[0].trim() ?? '';
|
|
64
|
-
return types.includes(type);
|
|
64
|
+
return types.includes(type.toLowerCase());
|
|
65
65
|
}
|
|
66
66
|
|
|
67
67
|
/**
|
|
68
68
|
* @param {Request} request
|
|
69
69
|
*/
|
|
70
70
|
export function is_form_content_type(request) {
|
|
71
|
-
|
|
71
|
+
// These content types must be protected against CSRF
|
|
72
|
+
// https://developer.mozilla.org/en-US/docs/Web/API/HTMLFormElement/enctype
|
|
73
|
+
return is_content_type(
|
|
74
|
+
request,
|
|
75
|
+
'application/x-www-form-urlencoded',
|
|
76
|
+
'multipart/form-data',
|
|
77
|
+
'text/plain'
|
|
78
|
+
);
|
|
72
79
|
}
|
package/types/index.d.ts
CHANGED
|
@@ -328,13 +328,13 @@ export interface KitConfig {
|
|
|
328
328
|
reportOnly?: CspDirectives;
|
|
329
329
|
};
|
|
330
330
|
/**
|
|
331
|
-
* Protection against [cross-site request forgery](https://owasp.org/www-community/attacks/csrf) attacks.
|
|
331
|
+
* Protection against [cross-site request forgery (CSRF)](https://owasp.org/www-community/attacks/csrf) attacks.
|
|
332
332
|
*/
|
|
333
333
|
csrf?: {
|
|
334
334
|
/**
|
|
335
|
-
* Whether to check the incoming `origin` header for `POST` form submissions and verify that it matches the server's origin.
|
|
335
|
+
* Whether to check the incoming `origin` header for `POST`, `PUT`, `PATCH`, or `DELETE` form submissions and verify that it matches the server's origin.
|
|
336
336
|
*
|
|
337
|
-
* To allow people to make `POST` form
|
|
337
|
+
* To allow people to make `POST`, `PUT`, `PATCH`, or `DELETE` requests with a `Content-Type` of `application/x-www-form-urlencoded`, `multipart/form-data`, or `text/plain` to your app from other origins, you will need to disable this option. Be careful!
|
|
338
338
|
* @default true
|
|
339
339
|
*/
|
|
340
340
|
checkOrigin?: boolean;
|