Skip to content

feat: add CSRF trustedOrigins bypass list #14021

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Aug 20, 2025
Merged

feat: add CSRF trustedOrigins bypass list #14021

merged 10 commits into from
Aug 20, 2025

Conversation

khromov
Copy link
Contributor

@khromov khromov commented Jul 19, 2025

Adds csrf.allowedOrigins config to whitelist trusted domains that can submit forms to your app.

Problem

Certain payment providers (and possibly auth services) redirect users back with form submissions that get blocked by CSRF protection. Previously you had to disable CSRF entirely or handle these outside SvelteKit. This is a fairly common Example thread

Solution

  export default {
    kit: {
      csrf: {
        checkOrigin: true,
        allowedOrigins: ['https://checkout.stripe.com', 'https://accounts.google.com']
      }
    }
  }

Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

  • It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
  • This message body should clearly illustrate what problems it solves.
  • Ideally, include a test that fails without this PR but passes with it.

Tests

  • Run the tests with pnpm test and lint the project with pnpm lint and pnpm check

Changesets

  • If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running pnpm changeset and following the prompts. Changesets that add features should be minor and those that fix bugs should be patch. Please prefix changeset messages with feat:, fix:, or chore:.

Edits

  • Please ensure that 'Allow edits from maintainers' is checked. PRs without this option may be closed.

khromov added 3 commits July 19, 2025 15:24
@khromov
Add allowedOrigins option to CSRF config
5d81c95 
Introduces a new `allowedOrigins` array to the CSRF configuration, allowing trusted third-party origins to bypass CSRF origin checks for form submissions. Updates server logic to permit requests from these origins, extends type definitions and documentation, and adds comprehensive tests to verify correct behavior for allowed, blocked, and edge-case origins.
@khromov
Update CSRF test for undefined origin handling
b7d5924 
Renames the test to clarify it checks for undefined origin and removes the 'origin: null' header from the request. This ensures the test accurately reflects scenarios where the origin header is not set.
@khromov
format
2bacd26
@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Jul 19, 2025
edited
Loading

🦋 Changeset detected

Latest commit: 22f6b14

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@sveltejs/kit Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@khromov
Add allowedOrigins option to form CSRF config
b9015f9 
Introduces an allowedOrigins array to the form configuration, enabling trusted third-party origins to bypass CSRF protection for cross-origin form submissions. This is useful for integrating with services like payment gateways or authentication providers.
@svelte-docs-bot
Copy link

Preview: https://svelte-dev-git-preview-kit-14021-svelte.vercel.app/

@Rich-Harris Rich-Harris changed the title feat: add CSRF allowedOrigins bypass list feat: add CSRF trustedOrigins bypass list Aug 20, 2025
@Rich-Harris
Copy link
Member

Rich-Harris commented Aug 20, 2025
edited
Loading

This is great, thanks! renamed to trustedOrigins as it's a slightly more loaded term, and is what I've seen other tools use for a similar purpose.

Since this PR predates remote functions, they weren't considered for this, but I think it makes sense to continue to only allow same-origin remote function requests. So I made that change.

I also think we could probably get rid of csrf.checkOrigin in favour of csrf.trustedOrigins: ['*'], since that rhymes with access-control-allow-origin: * and is one less piece of config. I'll open a separate issue for that though

Rich-Harris
Rich-Harris reviewed Aug 20, 2025
View reviewed changes
Rich-Harris
Rich-Harris reviewed Aug 20, 2025
View reviewed changes
@Rich-Harris Rich-Harris merged commit bf95071 into sveltejs:main Aug 20, 2025
17 checks passed
@github-actions github-actions bot mentioned this pull request Aug 20, 2025
Merged
@Rich-Harris Rich-Harris mentioned this pull request Aug 20, 2025
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Rich-Harris Rich-Harris Rich-Harris approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@khromov @Rich-Harris