From 08adff1562828cddfe7580d6315d378537b2d5f9 Mon Sep 17 00:00:00 2001
From: Giancarmine Salucci <giancarmine@gmail.com>
Date: Wed, 6 May 2026 18:58:39 +0200
Subject: [PATCH] fix: bypass CSRF for Web Share Target POST

SvelteKit's CSRF guard rejects POST requests whose Origin header doesn't
match the site's own origin. Web Share Target POSTs legitimately arrive
from external origins (e.g. youtube.com, OS share sheet). Strip the
Origin header in a handle hook for /share POST only.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 src/hooks.server.ts | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 src/hooks.server.ts

diff --git a/src/hooks.server.ts b/src/hooks.server.ts
new file mode 100644
index 0000000..4864314
--- /dev/null
+++ b/src/hooks.server.ts
@@ -0,0 +1,14 @@
+import type { Handle } from '@sveltejs/kit';
+
+export const handle: Handle = async ({ event, resolve }) => {
+	// Web Share Target POSTs arrive with a foreign Origin header (e.g. from
+	// youtube.com or the OS share sheet), which trips SvelteKit's CSRF guard.
+	// Dropping the header for this one route is safe — it is intentionally
+	// designed to receive cross-origin form submissions.
+	if (event.url.pathname === '/share' && event.request.method === 'POST') {
+		const headers = new Headers(event.request.headers);
+		headers.delete('origin');
+		event.request = new Request(event.request, { headers });
+	}
+	return resolve(event);
+};