Skip to content

chore: deprecate csrf.checkOrigin in favour of csrf.trustedOrigins: ['*'] #14281

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Aug 21, 2025
+26 −5
Merged

chore: deprecate csrf.checkOrigin in favour of csrf.trustedOrigins: ['*'] #14281

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b644e93
chore: deprecate in favour of
Rich-Harris Aug 20, 2025
fcd5ef4
add note to docs
Rich-Harris Aug 20, 2025
333d9fd
Update packages/kit/src/core/config/options.js
Rich-Harris Aug 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .changeset/eleven-papayas-share.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
'@sveltejs/kit': patch
---

chore: make config deprecation warnings more visible
5 changes: 5 additions & 0 deletions .changeset/weak-clouds-tell.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
'@sveltejs/kit': patch
---

chore: deprecate `csrf.checkOrigin` in favour of `csrf.trustedOrigins: ['*']`
9 changes: 7 additions & 2 deletions packages/kit/src/core/config/options.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import process from 'node:process';
import colors from 'kleur';

/** @typedef {import('./types.js').Validator} Validator */

Expand Down Expand Up @@ -108,7 +109,11 @@ const options = object(
}),

csrf: object({
checkOrigin: boolean(true),
checkOrigin: deprecate(
boolean(true),
(keypath) =>
`\`${keypath}\` has been deprecated in favour of \`csrf.trustedOrigins\`. It will be removed in a future version`
),
trustedOrigins: string_array([])
}),

Expand Down Expand Up @@ -323,7 +328,7 @@ function deprecate(
) {
return (input, keypath) => {
if (input !== undefined) {
console.warn(get_message(keypath));
console.warn(colors.bold().yellow(get_message(keypath)));
}

return fn(input, keypath);
Expand Down
2 changes: 1 addition & 1 deletion packages/kit/src/core/sync/write_server.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ import { set_private_env, set_public_env } from '${runtime_directory}/shared-ser
export const options = {
app_template_contains_nonce: ${template.includes('%sveltekit.nonce%')},
csp: ${s(config.kit.csp)},
csrf_check_origin: ${s(config.kit.csrf.checkOrigin)},
csrf_check_origin: ${s(config.kit.csrf.checkOrigin && !config.kit.csrf.trustedOrigins.includes('*'))},
csrf_trusted_origins: ${s(config.kit.csrf.trustedOrigins)},
embedded: ${config.kit.embedded},
env_public_prefix: '${config.kit.env.publicPrefix}',
Expand Down
5 changes: 4 additions & 1 deletion packages/kit/src/exports/public.d.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -426,14 +426,17 @@ export interface KitConfig {
*
* To allow people to make `POST`, `PUT`, `PATCH`, or `DELETE` requests with a `Content-Type` of `application/x-www-form-urlencoded`, `multipart/form-data`, or `text/plain` to your app from other origins, you will need to disable this option. Be careful!
* @default true
* @deprecated Use `trustedOrigins: ['*']` instead
*/
checkOrigin?: boolean;
/**
* An array of origins that are allowed to make cross-origin form submissions to your app, even when `checkOrigin` is `true`.
* An array of origins that are allowed to make cross-origin form submissions to your app.
*
* Each origin should be a complete origin including protocol (e.g., `https://payment-gateway.com`).
* This is useful for allowing trusted third-party services like payment gateways or authentication providers to submit forms to your app.
*
* If the array contains `'*'`, all origins will be trusted. This is generally not recommended!
*
* **Warning**: Only add origins you completely trust, as this bypasses CSRF protection for those origins.
* @default []
* @example ['https://checkout.stripe.com', 'https://accounts.google.com']
Expand Down
5 changes: 4 additions & 1 deletion packages/kit/types/index.d.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -402,14 +402,17 @@ declare module '@sveltejs/kit' {
*
* To allow people to make `POST`, `PUT`, `PATCH`, or `DELETE` requests with a `Content-Type` of `application/x-www-form-urlencoded`, `multipart/form-data`, or `text/plain` to your app from other origins, you will need to disable this option. Be careful!
* @default true
* @deprecated Use `trustedOrigins: ['*']` instead
*/
checkOrigin?: boolean;
/**
* An array of origins that are allowed to make cross-origin form submissions to your app, even when `checkOrigin` is `true`.
* An array of origins that are allowed to make cross-origin form submissions to your app.
*
* Each origin should be a complete origin including protocol (e.g., `https://payment-gateway.com`).
* This is useful for allowing trusted third-party services like payment gateways or authentication providers to submit forms to your app.
*
* If the array contains `'*'`, all origins will be trusted. This is generally not recommended!
*
* **Warning**: Only add origins you completely trust, as this bypasses CSRF protection for those origins.
* @default []
* @example ['https://checkout.stripe.com', 'https://accounts.google.com']
Expand Down