fix: disable CSRF origin check to allow Web Share Target
All checks were successful
Build & Push Docker Image / build-and-push (push) Successful in 40s
All checks were successful
Build & Push Docker Image / build-and-push (push) Successful in 40s
SvelteKit's CSRF check runs before the handle hook and blocks POSTs whose Origin header doesn't match the site origin. Web Share Target POSTs from any external app (YouTube, Chrome share sheet, etc.) are legitimately cross-origin. checkOrigin: false is safe here — the app has no cookie-based session auth, so there is no CSRF attack surface. Also remove the ineffective hooks.server.ts approach. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This commit is contained in:
Giancarmine Salucci
@@ -1,14 +0,0 @@
|
||||
import type { Handle } from '@sveltejs/kit';
|
||||
|
||||
export const handle: Handle = async ({ event, resolve }) => {
|
||||
// Web Share Target POSTs arrive with a foreign Origin header (e.g. from
|
||||
// youtube.com or the OS share sheet), which trips SvelteKit's CSRF guard.
|
||||
// Dropping the header for this one route is safe — it is intentionally
|
||||
// designed to receive cross-origin form submissions.
|
||||
if (event.url.pathname === '/share' && event.request.method === 'POST') {
|
||||
const headers = new Headers(event.request.headers);
|
||||
headers.delete('origin');
|
||||
event.request = new Request(event.request, { headers });
|
||||
}
|
||||
return resolve(event);
|
||||
};
|
||||
@@ -6,7 +6,10 @@ const config = {
|
||||
runes: ({ filename }) => (filename.split(/[/\\]/).includes('node_modules') ? undefined : true)
|
||||
},
|
||||
kit: {
|
||||
adapter: adapter({ out: 'build' })
|
||||
adapter: adapter({ out: 'build' }),
|
||||
// CSRF origin check disabled: this app uses no cookie-based session auth,
|
||||
// and the Web Share Target POST legitimately arrives from external origins.
|
||||
csrf: { checkOrigin: false }
|
||||
}
|
||||
};
|
||||
|
||||
|
||||
Reference in New Issue
Block a user