chore: deprecate csrf.checkOrigin in favour of csrf.trustedOrigins: ['*'] (#14281)

Rich-Harris · eltigerchino · web-flow · commit c44ddbc4491e · 2025-08-21T08:00:56.000-04:00
* chore: deprecate  in favour of

* add note to docs

* Update packages/kit/src/core/config/options.js

Co-authored-by: Tee Ming &lt;chewteeming01@gmail.com&gt;

---------

Co-authored-by: Tee Ming &lt;chewteeming01@gmail.com&gt;
diff --git a/.changeset/eleven-papayas-share.md b/.changeset/eleven-papayas-share.md
@@ -0,0 +1,5 @@
+---
+'@sveltejs/kit': patch
+---
+
+chore: make config deprecation warnings more visible
diff --git a/.changeset/weak-clouds-tell.md b/.changeset/weak-clouds-tell.md
@@ -0,0 +1,5 @@
+---
+'@sveltejs/kit': patch
+---
+
+chore: deprecate `csrf.checkOrigin` in favour of `csrf.trustedOrigins: ['*']`
diff --git a/packages/kit/src/core/config/options.js b/packages/kit/src/core/config/options.js
@@ -1,4 +1,5 @@
 import process from 'node:process';
+import colors from 'kleur';
 
 /** @typedef {import('./types.js').Validator} Validator */
 
@@ -108,7 +109,11 @@ const options = object(
 			}),
 
 			csrf: object({
-				checkOrigin: boolean(true),
+				checkOrigin: deprecate(
+					boolean(true),
+					(keypath) =>
+						`\`${keypath}\` has been deprecated in favour of \`csrf.trustedOrigins\`. It will be removed in a future version`
+				),
 				trustedOrigins: string_array([])
 			}),
 
@@ -323,7 +328,7 @@ function deprecate(
 ) {
 	return (input, keypath) => {
 		if (input !== undefined) {
-			console.warn(get_message(keypath));
+			console.warn(colors.bold().yellow(get_message(keypath)));
 		}
 
 		return fn(input, keypath);
diff --git a/packages/kit/src/core/sync/write_server.js b/packages/kit/src/core/sync/write_server.js
@@ -37,7 +37,7 @@ import { set_private_env, set_public_env } from '${runtime_directory}/shared-ser
 export const options = {
 	app_template_contains_nonce: ${template.includes('%sveltekit.nonce%')},
 	csp: ${s(config.kit.csp)},
-	csrf_check_origin: ${s(config.kit.csrf.checkOrigin)},
+	csrf_check_origin: ${s(config.kit.csrf.checkOrigin && !config.kit.csrf.trustedOrigins.includes('*'))},
 	csrf_trusted_origins: ${s(config.kit.csrf.trustedOrigins)},
 	embedded: ${config.kit.embedded},
 	env_public_prefix: '${config.kit.env.publicPrefix}',
diff --git a/packages/kit/src/exports/public.d.ts b/packages/kit/src/exports/public.d.ts
@@ -426,14 +426,17 @@ export interface KitConfig {
 		 *
 		 * To allow people to make `POST`, `PUT`, `PATCH`, or `DELETE` requests with a `Content-Type` of `application/x-www-form-urlencoded`, `multipart/form-data`, or `text/plain` to your app from other origins, you will need to disable this option. Be careful!
 		 * @default true
+		 * @deprecated Use `trustedOrigins: ['*']` instead
 		 */
 		checkOrigin?: boolean;
 		/**
-		 * An array of origins that are allowed to make cross-origin form submissions to your app, even when `checkOrigin` is `true`.
+		 * An array of origins that are allowed to make cross-origin form submissions to your app.
 		 *
 		 * Each origin should be a complete origin including protocol (e.g., `https://payment-gateway.com`).
 		 * This is useful for allowing trusted third-party services like payment gateways or authentication providers to submit forms to your app.
 		 *
+		 * If the array contains `'*'`, all origins will be trusted. This is generally not recommended!
+		 *
 		 * **Warning**: Only add origins you completely trust, as this bypasses CSRF protection for those origins.
 		 * @default []
 		 * @example ['https://checkout.stripe.com', 'https://accounts.google.com']
diff --git a/packages/kit/types/index.d.ts b/packages/kit/types/index.d.ts
@@ -402,14 +402,17 @@ declare module '@sveltejs/kit' {
 			 *
 			 * To allow people to make `POST`, `PUT`, `PATCH`, or `DELETE` requests with a `Content-Type` of `application/x-www-form-urlencoded`, `multipart/form-data`, or `text/plain` to your app from other origins, you will need to disable this option. Be careful!
 			 * @default true
+			 * @deprecated Use `trustedOrigins: ['*']` instead
 			 */
 			checkOrigin?: boolean;
 			/**
-			 * An array of origins that are allowed to make cross-origin form submissions to your app, even when `checkOrigin` is `true`.
+			 * An array of origins that are allowed to make cross-origin form submissions to your app.
 			 *
 			 * Each origin should be a complete origin including protocol (e.g., `https://payment-gateway.com`).
 			 * This is useful for allowing trusted third-party services like payment gateways or authentication providers to submit forms to your app.
 			 *
+			 * If the array contains `'*'`, all origins will be trusted. This is generally not recommended!
+			 *
 			 * **Warning**: Only add origins you completely trust, as this bypasses CSRF protection for those origins.
 			 * @default []
 			 * @example ['https://checkout.stripe.com', 'https://accounts.google.com']

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'@sveltejs/kit': patch
 +---
++
 +chore: make config deprecation warnings more visible
Original file line number	Diff line number	Diff line change
`@@ -426,14 +426,17 @@ export interface KitConfig {`
`426`	`426`	`*`
`427`	`427`	* To allow people to make `POST`, `PUT`, `PATCH`, or `DELETE` requests with a `Content-Type` of `application/x-www-form-urlencoded`, `multipart/form-data`, or `text/plain` to your app from other origins, you will need to disable this option. Be careful!
`428`	`428`	`* @default true`
	`429`	+ * @deprecated Use `trustedOrigins: ['*']` instead
`429`	`430`	`*/`
`430`	`431`	`checkOrigin?: boolean;`
`431`	`432`	`/**`
`432`		- * An array of origins that are allowed to make cross-origin form submissions to your app, even when `checkOrigin` is `true`.
	`433`	`+ * An array of origins that are allowed to make cross-origin form submissions to your app.`
`433`	`434`	`*`
`434`	`435`	* Each origin should be a complete origin including protocol (e.g., `https://payment-gateway.com`).
`435`	`436`	`* This is useful for allowing trusted third-party services like payment gateways or authentication providers to submit forms to your app.`
`436`	`437`	`*`
	`438`	+ * If the array contains `'*'`, all origins will be trusted. This is generally not recommended!
	`439`	`+ *`
`437`	`440`	`* Warning: Only add origins you completely trust, as this bypasses CSRF protection for those origins.`
`438`	`441`	`* @default []`
`439`	`442`	`* @example ['https://checkout.stripe.com', 'https://accounts.google.com']`
Original file line number	Diff line number	Diff line change
`@@ -402,14 +402,17 @@ declare module '@sveltejs/kit' {`
`402`	`402`	`*`
`403`	`403`	* To allow people to make `POST`, `PUT`, `PATCH`, or `DELETE` requests with a `Content-Type` of `application/x-www-form-urlencoded`, `multipart/form-data`, or `text/plain` to your app from other origins, you will need to disable this option. Be careful!
`404`	`404`	`* @default true`
	`405`	+ * @deprecated Use `trustedOrigins: ['*']` instead
`405`	`406`	`*/`
`406`	`407`	`checkOrigin?: boolean;`
`407`	`408`	`/**`
`408`		- * An array of origins that are allowed to make cross-origin form submissions to your app, even when `checkOrigin` is `true`.
	`409`	`+ * An array of origins that are allowed to make cross-origin form submissions to your app.`
`409`	`410`	`*`
`410`	`411`	* Each origin should be a complete origin including protocol (e.g., `https://payment-gateway.com`).
`411`	`412`	`* This is useful for allowing trusted third-party services like payment gateways or authentication providers to submit forms to your app.`
`412`	`413`	`*`
	`414`	+ * If the array contains `'*'`, all origins will be trusted. This is generally not recommended!
	`415`	`+ *`
`413`	`416`	`* Warning: Only add origins you completely trust, as this bypasses CSRF protection for those origins.`
`414`	`417`	`* @default []`
`415`	`418`	`* @example ['https://checkout.stripe.com', 'https://accounts.google.com']`