dc65c028c1
All checks were successful
Build & Push Docker Image / build-and-push (push) Successful in 40s
SvelteKit's CSRF check runs before the handle hook and blocks POSTs whose Origin header doesn't match the site origin. Web Share Target POSTs from any external app (YouTube, Chrome share sheet, etc.) are legitimately cross-origin. checkOrigin: false is safe here — the app has no cookie-based session auth, so there is no CSRF attack surface. Also remove the ineffective hooks.server.ts approach. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
494 B
494 B