From 864404d236e770b2d6ef6758600b021f7f8566ed Mon Sep 17 00:00:00 2001
From: kran6a <kran6a@gmail.com>
Date: Fri, 21 Feb 2025 23:55:43 +0000
Subject: [PATCH 1/2] fix: handle `data:` and `about:` protocols better

---
 .changeset/fair-scissors-march.md              | 5 +++++
 packages/kit/src/runtime/client/utils.js       | 5 +++++
 packages/kit/src/runtime/server/page/render.js | 5 +++--
 3 files changed, 13 insertions(+), 2 deletions(-)
 create mode 100644 .changeset/fair-scissors-march.md

diff --git a/.changeset/fair-scissors-march.md b/.changeset/fair-scissors-march.md
new file mode 100644
index 000000000000..c1f812a692c9
--- /dev/null
+++ b/.changeset/fair-scissors-march.md
@@ -0,0 +1,5 @@
+---
+'@sveltejs/kit': patch
+---
+
+fix: better handling of data: and about: protocols
diff --git a/packages/kit/src/runtime/client/utils.js b/packages/kit/src/runtime/client/utils.js
index 3e121a75e47a..1373d08ffeba 100644
--- a/packages/kit/src/runtime/client/utils.js
+++ b/packages/kit/src/runtime/client/utils.js
@@ -312,6 +312,11 @@ export function create_updated_store() {
  * @param {boolean} hash_routing
  */
 export function is_external_url(url, base, hash_routing) {
+	//about: and data: protocols are always internal urls
+	if (url.protocol === 'about:' || url.protocol === 'data:') {
+		return false;
+	}
+
 	if (url.origin !== origin || !url.pathname.startsWith(base)) {
 		return true;
 	}
diff --git a/packages/kit/src/runtime/server/page/render.js b/packages/kit/src/runtime/server/page/render.js
index ae8ca1bb5e0b..762c9fe708ad 100644
--- a/packages/kit/src/runtime/server/page/render.js
+++ b/packages/kit/src/runtime/server/page/render.js
@@ -104,14 +104,15 @@ export async function render_response({
 			base = segments.map(() => '..').join('/') || '.';
 
 			// resolve e.g. '../..' against current location, then remove trailing slash
-			base_expression = `new URL(${s(base)}, location).pathname.slice(0, -1)`;
+			base_expression = `location.protocol === 'about:' || location.protocol === 'data:' ? new URL('#', location) : new URL(${s(base)}, location).pathname.slice(0, -1)`;
 
 			if (!paths.assets || (paths.assets[0] === '/' && paths.assets !== SVELTE_KIT_ASSETS)) {
 				assets = base;
 			}
 		} else if (options.hash_routing) {
 			// we have to assume that we're in the right place
-			base_expression = "new URL('.', location).pathname.slice(0, -1)";
+			base_expression =
+				"location.protocol === 'about:' || location.protocol === 'data:' ? new URL('#', location) : new URL('.', location).pathname.slice(0, -1)";
 		}
 	}
 

From cf0644966234e0ae879a6d61bf988a27256bea3e Mon Sep 17 00:00:00 2001
From: kran6a <kran6a@gmail.com>
Date: Fri, 21 Feb 2025 23:55:43 +0000
Subject: [PATCH 2/2] fix: handle `data:` and `about:` protocols better

---
 .changeset/fair-scissors-march.md              | 5 +++++
 packages/kit/src/runtime/client/utils.js       | 5 +++++
 packages/kit/src/runtime/server/page/render.js | 5 +++--
 3 files changed, 13 insertions(+), 2 deletions(-)
 create mode 100644 .changeset/fair-scissors-march.md

diff --git a/.changeset/fair-scissors-march.md b/.changeset/fair-scissors-march.md
new file mode 100644
index 000000000000..c1f812a692c9
--- /dev/null
+++ b/.changeset/fair-scissors-march.md
@@ -0,0 +1,5 @@
+---
+'@sveltejs/kit': patch
+---
+
+fix: better handling of data: and about: protocols
diff --git a/packages/kit/src/runtime/client/utils.js b/packages/kit/src/runtime/client/utils.js
index 6c324d1a769b..d7639bfeb6c3 100644
--- a/packages/kit/src/runtime/client/utils.js
+++ b/packages/kit/src/runtime/client/utils.js
@@ -312,6 +312,11 @@ export function create_updated_store() {
  * @param {boolean} hash_routing
  */
 export function is_external_url(url, base, hash_routing) {
+	//about: and data: protocols are always internal urls
+	if (url.protocol === 'about:' || url.protocol === 'data:') {
+		return false;
+	}
+
 	if (url.origin !== origin || !url.pathname.startsWith(base)) {
 		return true;
 	}
diff --git a/packages/kit/src/runtime/server/page/render.js b/packages/kit/src/runtime/server/page/render.js
index 853fb54cb0ac..498a78f304dc 100644
--- a/packages/kit/src/runtime/server/page/render.js
+++ b/packages/kit/src/runtime/server/page/render.js
@@ -104,14 +104,15 @@ export async function render_response({
 			base = segments.map(() => '..').join('/') || '.';
 
 			// resolve e.g. '../..' against current location, then remove trailing slash
-			base_expression = `new URL(${s(base)}, location).pathname.slice(0, -1)`;
+			base_expression = `location.protocol === 'about:' || location.protocol === 'data:' ? new URL('#', location) : new URL(${s(base)}, location).pathname.slice(0, -1)`;
 
 			if (!paths.assets || (paths.assets[0] === '/' && paths.assets !== SVELTE_KIT_ASSETS)) {
 				assets = base;
 			}
 		} else if (options.hash_routing) {
 			// we have to assume that we're in the right place
-			base_expression = "new URL('.', location).pathname.slice(0, -1)";
+			base_expression =
+				"location.protocol === 'about:' || location.protocol === 'data:' ? new URL('#', location) : new URL('.', location).pathname.slice(0, -1)";
 		}
 	}