fix: false positive csrf error in remote functions

[l0uisgrange]

Hey there 👋,

I think a bug was introduced in 0.36.0 with #14021. The command and form remote functions ignore the csrf configuration.

My app was successfully working on 0.35.0, and with 0.36.0 I get this error:

{ message: "Cross-site remote requests are forbidden" }

If I downgrade my remote calls start working again.

After looking a few in recent PRs: previously, the error was behind a csrf_check_origin, and it isn't anymore, allowing for false-positive CSRF errors.

I think this fixes the issue. Thanks for the amazing work on kit 😉!

---

Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

• It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
• This message body should clearly illustrate what problems it solves.
• Ideally, include a test that fails without this PR but passes with it.

Tests

• Run the tests with pnpm test and lint the project with pnpm lint and pnpm check

Changesets

• If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running pnpm changeset and following the prompts. Changesets that add features should be minor and those that fix bugs should be patch. Please prefix changeset messages with feat:, fix:, or chore:.

Edits

• Please ensure that 'Allow edits from maintainers' is checked. PRs without this option may be closed.

[changeset-bot]

🦋 Changeset detected

Latest commit: a4083e8

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@sveltejs/kit	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[svelte-docs-bot]

Preview: https://svelte-dev-git-preview-kit-14309-svelte.vercel.app/

[Rich-Harris]

This isn't a bug, it's intentional — there shouldn't be a situation in which you're calling a remote function from a different origin. Are you using adapter-node? If so you may need to set some environment variables so that SvelteKit can reconstruct the URL correctly. If not, I'd be curious to understand how you're encountering this

[l0uisgrange]

Oops, sorry then, wasn't aware of that 😅. I've set the environment variables from the documentation in my .env.

ORIGIN=https://mydomain.localhost
PROTOCOL_HEADER=x-forwarded-proto
HOST_HEADER=x-forwarded-host

I'm using adapter-node with Docker Compose (with reverse proxy), but it's still strange. I've done a little research to find out where it fails exactly, and it seems kit doesn't trust the headers (it takes http://mydomain.localhost instead of https://mydomain.localhost). I used the following code in hooks.server.ts:

export async function handle({ event, resolve }) {
    console.log(event.request.headers.get('origin'));            // null
    console.log(event.url.origin);                               // http://mydomain.localhost
    console.log(event.request.headers.get('host'));              // mydomain.localhost
    console.log(event.request.headers.get('x-forwarded-proto')); // https
    return await resolve(event);
}

The documentation you sent only refers to node server, not vite' dev server... so I wonder if this could be the root cause?

[PatrickG]

IMO, we should simply disable this check in development mode.
From time to time, help threads with this error message are created by users who are using a reverse proxy or have simply set up a DNS entry in their hosts file and are not using http://localhost:5173 for their local development.
Normally, I would recommend disabling csrf.checkOrigin during development, but that doesn't work (currently) for remote functions. And the ORIGIN (and PROTOCOL_HEADER/HOST_HEADER/PORT_HEADER) env var is only respected by adapter-node not by the dev server.