Skip to content

feat: add CSRF allowedOrigins bypass list #14021

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

feat: add CSRF allowedOrigins bypass list #14021

wants to merge 5 commits into from

Conversation

khromov
Copy link

@khromov khromov commented Jul 19, 2025

Adds csrf.allowedOrigins config to whitelist trusted domains that can submit forms to your app.

Problem

Certain payment providers (and possibly auth services) redirect users back with form submissions that get blocked by CSRF protection. Previously you had to disable CSRF entirely or handle these outside SvelteKit. This is a fairly common Example thread

Solution

  export default {
    kit: {
      csrf: {
        checkOrigin: true,
        allowedOrigins: ['https://checkout.stripe.com', 'https://accounts.google.com']
      }
    }
  }

Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

  • It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
  • This message body should clearly illustrate what problems it solves.
  • Ideally, include a test that fails without this PR but passes with it.

Tests

  • Run the tests with pnpm test and lint the project with pnpm lint and pnpm check

Changesets

  • If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running pnpm changeset and following the prompts. Changesets that add features should be minor and those that fix bugs should be patch. Please prefix changeset messages with feat:, fix:, or chore:.

Edits

  • Please ensure that 'Allow edits from maintainers' is checked. PRs without this option may be closed.

khromov added 3 commits July 19, 2025 15:24
@khromov
Add allowedOrigins option to CSRF config
5d81c95 
Introduces a new `allowedOrigins` array to the CSRF configuration, allowing trusted third-party origins to bypass CSRF origin checks for form submissions. Updates server logic to permit requests from these origins, extends type definitions and documentation, and adds comprehensive tests to verify correct behavior for allowed, blocked, and edge-case origins.
@khromov
Update CSRF test for undefined origin handling
b7d5924 
Renames the test to clarify it checks for undefined origin and removes the 'origin: null' header from the request. This ensures the test accurately reflects scenarios where the origin header is not set.
@khromov
format
2bacd26
@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Jul 19, 2025
edited
Loading

🦋 Changeset detected

Latest commit: 2cddffd

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@sveltejs/kit Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@khromov
Add allowedOrigins option to form CSRF config
b9015f9 
Introduces an allowedOrigins array to the form configuration, enabling trusted third-party origins to bypass CSRF protection for cross-origin form submissions. This is useful for integrating with services like payment gateways or authentication providers.
@svelte-docs-bot
Copy link

Preview: https://svelte-dev-git-preview-kit-14021-svelte.vercel.app/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@khromov