From dc65c028c1f0dda48bd1b10faa9aa11d3311da27 Mon Sep 17 00:00:00 2001
From: Giancarmine Salucci <giancarmine@gmail.com>
Date: Wed, 6 May 2026 19:02:07 +0200
Subject: [PATCH] fix: disable CSRF origin check to allow Web Share Target
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

SvelteKit's CSRF check runs before the handle hook and blocks POSTs
whose Origin header doesn't match the site origin. Web Share Target
POSTs from any external app (YouTube, Chrome share sheet, etc.) are
legitimately cross-origin.

checkOrigin: false is safe here — the app has no cookie-based session
auth, so there is no CSRF attack surface.

Also remove the ineffective hooks.server.ts approach.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 src/hooks.server.ts | 14 --------------
 svelte.config.js    |  5 ++++-
 2 files changed, 4 insertions(+), 15 deletions(-)
 delete mode 100644 src/hooks.server.ts

diff --git a/src/hooks.server.ts b/src/hooks.server.ts
deleted file mode 100644
index 4864314..0000000
--- a/src/hooks.server.ts
+++ /dev/null
@@ -1,14 +0,0 @@
-import type { Handle } from '@sveltejs/kit';
-
-export const handle: Handle = async ({ event, resolve }) => {
-	// Web Share Target POSTs arrive with a foreign Origin header (e.g. from
-	// youtube.com or the OS share sheet), which trips SvelteKit's CSRF guard.
-	// Dropping the header for this one route is safe — it is intentionally
-	// designed to receive cross-origin form submissions.
-	if (event.url.pathname === '/share' && event.request.method === 'POST') {
-		const headers = new Headers(event.request.headers);
-		headers.delete('origin');
-		event.request = new Request(event.request, { headers });
-	}
-	return resolve(event);
-};
diff --git a/svelte.config.js b/svelte.config.js
index 9e98ce3..9409ebb 100644
--- a/svelte.config.js
+++ b/svelte.config.js
@@ -6,7 +6,10 @@ const config = {
 		runes: ({ filename }) => (filename.split(/[/\\]/).includes('node_modules') ? undefined : true)
 	},
 	kit: {
-		adapter: adapter({ out: 'build' })
+		adapter: adapter({ out: 'build' }),
+		// CSRF origin check disabled: this app uses no cookie-based session auth,
+		// and the Web Share Target POST legitimately arrives from external origins.
+		csrf: { checkOrigin: false }
 	}
 };