CSRF protection and http2 (vite preview)

[feugy]

Hello Svelte community!
I may have found a corner case, which I'm not sure deserves a fix. Hence why I need your help.

Form actions comes with a built-in CSRF protection, which compares requests current and expected origins.
url.origin is set in a middleware for vote, from the incoming host and scheme

While this works fine with Http1.1, it does not when using Http2. With the later, the host header is not included (:authority replaces it).

Http2 can be enabled by including @vitesjs/basic-plugin-ssl (which set https + http2) and running in preview mode. It can be reproduced with Svelte Kit basics test app:

1. cd packages/kit/tests/apps/basics
2. pnpm i -D @vitejs/plugin-basic-ssl
3. edit vite.config.js, add import basicSsl from '@vitejs/plugin-basic-ssl'; and plugins: [baseSsl(), sveltekit()],
4. run pnpm build && pnpm preview
5. run curl https://localhost:4173/csrf -d "key=value" -H "origin: https://localhost:4173" -ik

   this will fail because base variable is https://undefined

This could be fixed here by replacing base when using http2:

if (request.httpVersionMajor === 2) {
  if (base.includes('undefined')) {
    base = `${headers[':scheme']}://${headers[':authority']}`;
  }

Now I am wondering if this really worth it.
If it is, I would need some guidance to write a test.