From b644e93279e80872b7c0ed2c9c1f173de3072542 Mon Sep 17 00:00:00 2001
From: Rich Harris <rich.harris@vercel.com>
Date: Wed, 20 Aug 2025 19:15:35 -0400
Subject: [PATCH 1/3] chore: deprecate  in favour of

---
 .changeset/eleven-papayas-share.md         | 5 +++++
 .changeset/weak-clouds-tell.md             | 5 +++++
 packages/kit/src/core/config/options.js    | 9 +++++++--
 packages/kit/src/core/sync/write_server.js | 2 +-
 packages/kit/src/exports/public.d.ts       | 3 ++-
 packages/kit/types/index.d.ts              | 1 +
 6 files changed, 21 insertions(+), 4 deletions(-)
 create mode 100644 .changeset/eleven-papayas-share.md
 create mode 100644 .changeset/weak-clouds-tell.md

diff --git a/.changeset/eleven-papayas-share.md b/.changeset/eleven-papayas-share.md
new file mode 100644
index 000000000000..400ebf812d69
--- /dev/null
+++ b/.changeset/eleven-papayas-share.md
@@ -0,0 +1,5 @@
+---
+'@sveltejs/kit': patch
+---
+
+chore: make config deprecation warnings more visible
diff --git a/.changeset/weak-clouds-tell.md b/.changeset/weak-clouds-tell.md
new file mode 100644
index 000000000000..2cdfd9dc414a
--- /dev/null
+++ b/.changeset/weak-clouds-tell.md
@@ -0,0 +1,5 @@
+---
+'@sveltejs/kit': patch
+---
+
+chore: deprecate `csrf.checkOrigin` in favour of `csrf.trustedOrigins: ['*']`
diff --git a/packages/kit/src/core/config/options.js b/packages/kit/src/core/config/options.js
index 2210130b148b..cc172e3e8f02 100644
--- a/packages/kit/src/core/config/options.js
+++ b/packages/kit/src/core/config/options.js
@@ -1,4 +1,5 @@
 import process from 'node:process';
+import colors from 'kleur';
 
 /** @typedef {import('./types.js').Validator} Validator */
 
@@ -108,7 +109,11 @@ const options = object(
 			}),
 
 			csrf: object({
-				checkOrigin: boolean(true),
+				checkOrigin: deprecate(
+					boolean(true),
+					(keypath) =>
+						`\`${keypath}\` has been deprecated in favour of \`csrf.trustedOrigins: ['*']\`. It will be removed in a future version`
+				),
 				trustedOrigins: string_array([])
 			}),
 
@@ -323,7 +328,7 @@ function deprecate(
 ) {
 	return (input, keypath) => {
 		if (input !== undefined) {
-			console.warn(get_message(keypath));
+			console.warn(colors.bold().yellow(get_message(keypath)));
 		}
 
 		return fn(input, keypath);
diff --git a/packages/kit/src/core/sync/write_server.js b/packages/kit/src/core/sync/write_server.js
index f23f23b268be..639b8506f340 100644
--- a/packages/kit/src/core/sync/write_server.js
+++ b/packages/kit/src/core/sync/write_server.js
@@ -37,7 +37,7 @@ import { set_private_env, set_public_env } from '${runtime_directory}/shared-ser
 export const options = {
 	app_template_contains_nonce: ${template.includes('%sveltekit.nonce%')},
 	csp: ${s(config.kit.csp)},
-	csrf_check_origin: ${s(config.kit.csrf.checkOrigin)},
+	csrf_check_origin: ${s(config.kit.csrf.checkOrigin && !config.kit.csrf.trustedOrigins.includes('*'))},
 	csrf_trusted_origins: ${s(config.kit.csrf.trustedOrigins)},
 	embedded: ${config.kit.embedded},
 	env_public_prefix: '${config.kit.env.publicPrefix}',
diff --git a/packages/kit/src/exports/public.d.ts b/packages/kit/src/exports/public.d.ts
index 22df7f3c91e5..94c9c34de425 100644
--- a/packages/kit/src/exports/public.d.ts
+++ b/packages/kit/src/exports/public.d.ts
@@ -426,10 +426,11 @@ export interface KitConfig {
 		 *
 		 * To allow people to make `POST`, `PUT`, `PATCH`, or `DELETE` requests with a `Content-Type` of `application/x-www-form-urlencoded`, `multipart/form-data`, or `text/plain` to your app from other origins, you will need to disable this option. Be careful!
 		 * @default true
+		 * @deprecated Use `trustedOrigins: ['*']` instead
 		 */
 		checkOrigin?: boolean;
 		/**
-		 * An array of origins that are allowed to make cross-origin form submissions to your app, even when `checkOrigin` is `true`.
+		 * An array of origins that are allowed to make cross-origin form submissions to your app.
 		 *
 		 * Each origin should be a complete origin including protocol (e.g., `https://payment-gateway.com`).
 		 * This is useful for allowing trusted third-party services like payment gateways or authentication providers to submit forms to your app.
diff --git a/packages/kit/types/index.d.ts b/packages/kit/types/index.d.ts
index 07e62b12c88b..0f95981e415c 100644
--- a/packages/kit/types/index.d.ts
+++ b/packages/kit/types/index.d.ts
@@ -402,6 +402,7 @@ declare module '@sveltejs/kit' {
 			 *
 			 * To allow people to make `POST`, `PUT`, `PATCH`, or `DELETE` requests with a `Content-Type` of `application/x-www-form-urlencoded`, `multipart/form-data`, or `text/plain` to your app from other origins, you will need to disable this option. Be careful!
 			 * @default true
+			 * @deprecated Use `trustedOrigins: ['*']` instead
 			 */
 			checkOrigin?: boolean;
 			/**

From fcd5ef4bc67038cdd1fd4be3ab97e9d38e734764 Mon Sep 17 00:00:00 2001
From: Rich Harris <rich.harris@vercel.com>
Date: Wed, 20 Aug 2025 19:17:54 -0400
Subject: [PATCH 2/3] add note to docs

---
 packages/kit/src/exports/public.d.ts | 2 ++
 packages/kit/types/index.d.ts        | 4 +++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/packages/kit/src/exports/public.d.ts b/packages/kit/src/exports/public.d.ts
index 94c9c34de425..b96b92a9c1b8 100644
--- a/packages/kit/src/exports/public.d.ts
+++ b/packages/kit/src/exports/public.d.ts
@@ -435,6 +435,8 @@ export interface KitConfig {
 		 * Each origin should be a complete origin including protocol (e.g., `https://payment-gateway.com`).
 		 * This is useful for allowing trusted third-party services like payment gateways or authentication providers to submit forms to your app.
 		 *
+		 * If the array contains `'*'`, all origins will be trusted. This is generally not recommended!
+		 *
 		 * **Warning**: Only add origins you completely trust, as this bypasses CSRF protection for those origins.
 		 * @default []
 		 * @example ['https://checkout.stripe.com', 'https://accounts.google.com']
diff --git a/packages/kit/types/index.d.ts b/packages/kit/types/index.d.ts
index 0f95981e415c..3a7b23f3d882 100644
--- a/packages/kit/types/index.d.ts
+++ b/packages/kit/types/index.d.ts
@@ -406,11 +406,13 @@ declare module '@sveltejs/kit' {
 			 */
 			checkOrigin?: boolean;
 			/**
-			 * An array of origins that are allowed to make cross-origin form submissions to your app, even when `checkOrigin` is `true`.
+			 * An array of origins that are allowed to make cross-origin form submissions to your app.
 			 *
 			 * Each origin should be a complete origin including protocol (e.g., `https://payment-gateway.com`).
 			 * This is useful for allowing trusted third-party services like payment gateways or authentication providers to submit forms to your app.
 			 *
+			 * If the array contains `'*'`, all origins will be trusted. This is generally not recommended!
+			 *
 			 * **Warning**: Only add origins you completely trust, as this bypasses CSRF protection for those origins.
 			 * @default []
 			 * @example ['https://checkout.stripe.com', 'https://accounts.google.com']

From 333d9fd1fc5c861812b91e5d79fad21c391ec477 Mon Sep 17 00:00:00 2001
From: Rich Harris <richard.a.harris@gmail.com>
Date: Thu, 21 Aug 2025 07:30:16 -0400
Subject: [PATCH 3/3] Update packages/kit/src/core/config/options.js

Co-authored-by: Tee Ming <chewteeming01@gmail.com>
---
 packages/kit/src/core/config/options.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/kit/src/core/config/options.js b/packages/kit/src/core/config/options.js
index cc172e3e8f02..0d7d7fc5b3b6 100644
--- a/packages/kit/src/core/config/options.js
+++ b/packages/kit/src/core/config/options.js
@@ -112,7 +112,7 @@ const options = object(
 				checkOrigin: deprecate(
 					boolean(true),
 					(keypath) =>
-						`\`${keypath}\` has been deprecated in favour of \`csrf.trustedOrigins: ['*']\`. It will be removed in a future version`
+						`\`${keypath}\` has been deprecated in favour of \`csrf.trustedOrigins\`. It will be removed in a future version`
 				),
 				trustedOrigins: string_array([])
 			}),