sveltejs · Rich-Harris · Aug 21, 2025 · Aug 20, 2025 · Aug 20, 2025 · Aug 21, 2025
diff --git a/.changeset/eleven-papayas-share.md b/.changeset/eleven-papayas-share.md
@@ -0,0 +1,5 @@
+---
+'@sveltejs/kit': patch
+---
+
+chore: make config deprecation warnings more visible
diff --git a/.changeset/weak-clouds-tell.md b/.changeset/weak-clouds-tell.md
@@ -0,0 +1,5 @@
+---
+'@sveltejs/kit': patch
+---
+
+chore: deprecate `csrf.checkOrigin` in favour of `csrf.trustedOrigins: ['*']`
diff --git a/packages/kit/src/core/config/options.js b/packages/kit/src/core/config/options.js
@@ -1,4 +1,5 @@
 import process from 'node:process';
+import colors from 'kleur';
 
 /** @typedef {import('./types.js').Validator} Validator */
 
@@ -108,7 +109,11 @@ const options = object(
 			}),
 
 			csrf: object({
-				checkOrigin: boolean(true),
+				checkOrigin: deprecate(
+					boolean(true),
+					(keypath) =>
+						`\`${keypath}\` has been deprecated in favour of \`csrf.trustedOrigins: ['*']\`. It will be removed in a future version`
+				),
 				trustedOrigins: string_array([])
 			}),
 
@@ -323,7 +328,7 @@ function deprecate(
 ) {
 	return (input, keypath) => {
 		if (input !== undefined) {
-			console.warn(get_message(keypath));
+			console.warn(colors.bold().yellow(get_message(keypath)));
 		}
 
 		return fn(input, keypath);

diff --git a/packages/kit/src/core/sync/write_server.js b/packages/kit/src/core/sync/write_server.js
@@ -37,7 +37,7 @@ import { set_private_env, set_public_env } from '${runtime_directory}/shared-ser
 export const options = {
 	app_template_contains_nonce: ${template.includes('%sveltekit.nonce%')},
 	csp: ${s(config.kit.csp)},
-	csrf_check_origin: ${s(config.kit.csrf.checkOrigin)},
+	csrf_check_origin: ${s(config.kit.csrf.checkOrigin && !config.kit.csrf.trustedOrigins.includes('*'))},
 	csrf_trusted_origins: ${s(config.kit.csrf.trustedOrigins)},
 	embedded: ${config.kit.embedded},
 	env_public_prefix: '${config.kit.env.publicPrefix}',

diff --git a/packages/kit/src/exports/public.d.ts b/packages/kit/src/exports/public.d.ts
@@ -426,14 +426,17 @@ export interface KitConfig {
 		 *
 		 * To allow people to make `POST`, `PUT`, `PATCH`, or `DELETE` requests with a `Content-Type` of `application/x-www-form-urlencoded`, `multipart/form-data`, or `text/plain` to your app from other origins, you will need to disable this option. Be careful!
 		 * @default true
+		 * @deprecated Use `trustedOrigins: ['*']` instead
 		 */
 		checkOrigin?: boolean;
 		/**
-		 * An array of origins that are allowed to make cross-origin form submissions to your app, even when `checkOrigin` is `true`.
+		 * An array of origins that are allowed to make cross-origin form submissions to your app.
 		 *
 		 * Each origin should be a complete origin including protocol (e.g., `https://payment-gateway.com`).
 		 * This is useful for allowing trusted third-party services like payment gateways or authentication providers to submit forms to your app.
 		 *
+		 * If the array contains `'*'`, all origins will be trusted. This is generally not recommended!
+		 *
 		 * **Warning**: Only add origins you completely trust, as this bypasses CSRF protection for those origins.
 		 * @default []
 		 * @example ['https://checkout.stripe.com', 'https://accounts.google.com']

diff --git a/packages/kit/types/index.d.ts b/packages/kit/types/index.d.ts
@@ -402,14 +402,17 @@ declare module '@sveltejs/kit' {
 			 *
 			 * To allow people to make `POST`, `PUT`, `PATCH`, or `DELETE` requests with a `Content-Type` of `application/x-www-form-urlencoded`, `multipart/form-data`, or `text/plain` to your app from other origins, you will need to disable this option. Be careful!
 			 * @default true
+			 * @deprecated Use `trustedOrigins: ['*']` instead
 			 */
 			checkOrigin?: boolean;
 			/**
-			 * An array of origins that are allowed to make cross-origin form submissions to your app, even when `checkOrigin` is `true`.
+			 * An array of origins that are allowed to make cross-origin form submissions to your app.
 			 *
 			 * Each origin should be a complete origin including protocol (e.g., `https://payment-gateway.com`).
 			 * This is useful for allowing trusted third-party services like payment gateways or authentication providers to submit forms to your app.
 			 *
+			 * If the array contains `'*'`, all origins will be trusted. This is generally not recommended!
+			 *
 			 * **Warning**: Only add origins you completely trust, as this bypasses CSRF protection for those origins.
 			 * @default []
 			 * @example ['https://checkout.stripe.com', 'https://accounts.google.com']