Skip to content

feat(ssr): Same-origin fetch cookie passthrough #1847

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Jul 15, 2021
Merged

feat(ssr): Same-origin fetch cookie passthrough #1847

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f58b2df
feat(ssr): Same-origin fetch cookie passthrough
GrygrFlzr Jul 7, 2021
f6ad16d
chore: readability changes
GrygrFlzr Jul 15, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .changeset/thick-steaks-sneeze.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
'@sveltejs/kit': patch
---

Passthrough server-side fetch cookies for most same-origin scenarios
2 changes: 2 additions & 0 deletions documentation/docs/03-loading.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,8 @@ So if the example above was `src/routes/blog/[slug].svelte` and the URL was `htt

> When `fetch` runs on the server, the resulting response will be serialized and inlined into the rendered HTML. This allows the subsequent client-side `load` to access identical data immediately without an additional network request.

> Cookies will only be passed through if the target host is the same as the SvelteKit application or a more specific subdomain of it.

#### session

`session` can be used to pass data from the server related to the current request, e.g. the current user. By default it is `undefined`. See [`getSession`](#hooks-getsession) to learn how to use it.
Expand Down
32 changes: 28 additions & 4 deletions packages/kit/src/runtime/server/page/load_node.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ import { resolve } from './resolve.js';

const s = JSON.stringify;

const hasScheme = (/** @type {string} */ url) => /^[a-zA-Z]+:/.test(url);

/**
*
* @param {{
Expand Down Expand Up @@ -97,10 +99,32 @@ export async function load_node({

let response;

if (/^[a-zA-Z]+:/.test(url)) {
// external fetch
const request = new Request(url, /** @type {RequestInit} */ (opts));
response = await options.hooks.serverFetch.call(null, request);
if (hasScheme(url)) {
// possibly external fetch
if (typeof request.host !== 'undefined') {
const { hostname: fetchHostname } = new URL(url);
const [serverHostname] = request.host.split(':');

// allow cookie passthrough for "same-origin"
// if SvelteKit is serving my.domain.com:
// - domain.com WILL NOT receive cookies
// - my.domain.com WILL receive cookies
// - api.domain.dom WILL NOT receive cookies
// - sub.my.domain.com WILL receive cookies
// ports do not affect the resolution
// leading dot prevents mydomain.com matching domain.com
if (`.${fetchHostname}`.endsWith(`.${serverHostname}`) && opts.credentials !== 'omit') {
uses_credentials = true;

opts.headers = {
...opts.headers,
cookie: request.headers.cookie
};
}
}

const externalRequest = new Request(url, /** @type {RequestInit} */ (opts));
response = await options.hooks.serverFetch.call(null, externalRequest);
} else {
const [path, search] = url.split('?');

Expand Down