Skip to content

fix: disable CSRF checks in dev #14335

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Aug 28, 2025
Merged

fix: disable CSRF checks in dev #14335

merged 3 commits into from
Aug 28, 2025

Conversation

Rich-Harris
Copy link
Member

@Rich-Harris Rich-Harris commented Aug 28, 2025
edited
Loading

#14309 (comment)

closes #14309

Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

  • It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
  • This message body should clearly illustrate what problems it solves.
  • Ideally, include a test that fails without this PR but passes with it.

Tests

  • Run the tests with pnpm test and lint the project with pnpm lint and pnpm check

Changesets

  • If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running pnpm changeset and following the prompts. Changesets that add features should be minor and those that fix bugs should be patch. Please prefix changeset messages with feat:, fix:, or chore:.

Edits

  • Please ensure that 'Allow edits from maintainers' is checked. PRs without this option may be closed.

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Aug 28, 2025
edited
Loading

🦋 Changeset detected

Latest commit: bca2764

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@sveltejs/kit Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@svelte-docs-bot
Copy link

Preview: https://svelte-dev-git-preview-kit-14335-svelte.vercel.app/

dummdidumm
dummdidumm approved these changes Aug 28, 2025
View reviewed changes
Copy link
Member

@dummdidumm dummdidumm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

worth a callout in the docs somewhere? not sure where, and not in any way blocking

@Rich-Harris
Copy link
Member Author

good point — added to the csrf.trustedOrigins inline docs

@dummdidumm dummdidumm merged commit 7f4ab16 into main Aug 28, 2025
21 of 22 checks passed
@dummdidumm dummdidumm deleted the dev-disable-csrf branch August 28, 2025 16:04
@github-actions github-actions bot mentioned this pull request Aug 28, 2025
Merged
@khromov
Copy link
Contributor

khromov commented Aug 28, 2025

@Rich-Harris I've talked to people on Discord that seemed to be running "npm run dev" in production. It's not a valid use case but I wonder if we won't accidentally enable a sudden security hole for these people, which can come back in form of badwill? This change sounds like something for Kit 3.x imho. Wouldn't it be possible to have remote functions respect csrf.checkOrigin?

@Rich-Harris
Copy link
Member Author

I... what?

How? How does someone end up in that situation? It's literally called npm run dev.

Wouldn't it be possible to have remote functions respect csrf.checkOrigin?

That's a separate conversation to 'should the origin be checked?' and the answer is no — if something other than your own origin is calling remote functions, it's a bad request, period

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dummdidumm dummdidumm dummdidumm approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Rich-Harris @khromov @dummdidumm