[fix] ensure serialized headers check is always applied

Closes #7112
sveltejs · Oct 11, 2022 · 85cc43d · 85cc43d
1 parent bf7a6c3
commit 85cc43d
Show file tree

Hide file tree

Showing 5 changed files with 41 additions and 17 deletions.
diff --git a/.changeset/strong-experts-begin.md b/.changeset/strong-experts-begin.md
@@ -0,0 +1,5 @@
+---
+'@sveltejs/kit': patch
+---
+
+[fix] ensure serialized headers check is always applied
diff --git a/packages/kit/src/runtime/server/page/load_data.js b/packages/kit/src/runtime/server/page/load_data.js
@@ -129,23 +129,6 @@ export async function load_data({
 								response_body: body,
 								response: response
 							});
-
-							// ensure that excluded headers can't be read
-							const get = response.headers.get;
-							response.headers.get = (key) => {
-								const lower = key.toLowerCase();
-								const value = get.call(response.headers, lower);
-								if (value && !lower.startsWith('x-sveltekit-')) {
-									const included = resolve_opts.filterSerializedResponseHeaders(lower, value);
-									if (!included) {
-										throw new Error(
-											`Failed to get response header "${lower}" — it must be included by the \`filterSerializedResponseHeaders\` option: https://kit.svelte.dev/docs/hooks#handle`
-										);
-									}
-								}
-
-								return value;
-							};
 						}
 
 						if (dependency) {
@@ -186,6 +169,23 @@ export async function load_data({
 				}
 			});
 
+			// ensure that excluded headers can't be read
+			const get = response.headers.get;
+			response.headers.get = (key) => {
+				const lower = key.toLowerCase();
+				const value = get.call(response.headers, lower);
+				if (value && !lower.startsWith('x-sveltekit-')) {
+					const included = resolve_opts.filterSerializedResponseHeaders(lower, value);
+					if (!included) {
+						throw new Error(
+							`Failed to get response header "${lower}" — it must be included by the \`filterSerializedResponseHeaders\` option: https://kit.svelte.dev/docs/hooks#handle`
+						);
+					}
+				}
+
+				return value;
+			};
+
 			return proxy;
 		},
 		setHeaders: event.setHeaders,

diff --git a/packages/kit/test/apps/basics/src/routes/load/fetch-request-headers-invalid-access/+page.js b/packages/kit/test/apps/basics/src/routes/load/fetch-request-headers-invalid-access/+page.js
@@ -0,0 +1,8 @@
+/** @type {import('./$types').PageLoad} */
+export async function load({ fetch }) {
+	let res = await fetch('./irrelevant', {
+		method: 'GET'
+	});
+
+	res.headers.get('content-type');
+}
diff --git a/...es/kit/test/apps/basics/src/routes/load/fetch-request-headers-invalid-access/+page.svelte b/...es/kit/test/apps/basics/src/routes/load/fetch-request-headers-invalid-access/+page.svelte
diff --git a/packages/kit/test/apps/basics/test/test.js b/packages/kit/test/apps/basics/test/test.js
@@ -851,6 +851,17 @@ test.describe('Load', () => {
 		}
 	});
 
+	test('errors when trying to access non-serialized request headers on the server', async ({
+		page,
+		read_errors
+	}) => {
+		await page.goto('/load/fetch-request-headers-invalid-access');
+
+		expect(read_errors(`/load/fetch-request-headers-invalid-access`).message).toContain(
+			'Failed to get response header "content-type" — it must be included by the `filterSerializedResponseHeaders` option'
+		);
+	});
+
 	test('exposes rawBody as a DataView to endpoints', async ({ page, clicknav }) => {
 		await page.goto('/load/raw-body');
 		await clicknav('[href="/load/raw-body/dataview"]');