Cross-site POST form submissions are forbidden? #7600
Replies: 14 comments 10 replies
-
I absolutely have the same problem! On Postman all GET requests work fine. Trying POST requests and I also got
Someone please help us ! :) |
Beta Was this translation helpful? Give feedback.
-
Yeah, this issue is also biting me up while am on remote platform gitpod.io , this is actually due to cross-site origin policy , I have also not got any permanent soluton for now, but I guess you can keep origin check false for now while you are in dev environment and turn on while building the app , This seem untidy but I have been doing this :( ! |
Beta Was this translation helpful? Give feedback.
-
I just had the same issue, running SvelteKit behind Traefik reverse proxy, that does the TLS/SSL termination. Not recommended (but easy) solution from StackOverflow:
For reference, another issue about this topic: #6589 |
Beta Was this translation helpful? Give feedback.
-
For reference: #8314. This happens workspaces like Gitpod or StackBlitz where you access your preview on a non-localhost URL. |
Beta Was this translation helpful? Give feedback.
-
It can happen when your urls point to the wrong port. It's the external port you need. |
Beta Was this translation helpful? Give feedback.
-
After new update, get constantly |
Beta Was this translation helpful? Give feedback.
-
as far as I can tell the solution is to disable csrf which seems like a non-solution. any ideas from dev team on an actual solution? I run a lot of sveltekit apps on a caddy reverse_proxy setup and this is kinda silly there's not a better solution.... |
Beta Was this translation helpful? Give feedback.
-
@Rich-Harris hi could you help us? Thanks for the best framework |
Beta Was this translation helpful? Give feedback.
-
It works for node deployments etcetra, to get arround this will using the dev server you need to modify the headers somewhat. here is a simple solution to that. Anyone have improvements I could make to this? //vite.config.ts
export default defineConfig({
plugins: [
{
name: "configure-response-headers",
configureServer: (server) => {
server.middlewares.use((_req, res, next) => {
const ori = _req.headers.origin
const referer = _req.headers.referer
if((ori == "https://example.com"|| !ori)){
_req.headers.origin = "http://localhost:5173"
}
next();
// _req.headers.origin = originalOrigin
});
},
},
sveltekit(),
]
}); |
Beta Was this translation helpful? Give feedback.
-
same problem happened to me. turns out it was for some headers i've set in the hooks.server.ts // response.headers.set('Referrer-Policy', 'no-referrer'); // this one breaks form submission
// response.headers.set('Referrer-Policy', 'origin-when-cross-origin');
response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin'); // default, works |
Beta Was this translation helpful? Give feedback.
-
Hope this helps |
Beta Was this translation helpful? Give feedback.
-
HI got this svelte.config.js:
That works absolutely fine |
Beta Was this translation helpful? Give feedback.
-
I overwrote the checkorigin code by basically copying it from the svelte
kit source code and adding my own parts to it...
…On Mon, 22 Apr 2024 at 22:26, Maximilian Kürschner ***@***.***> wrote:
I think you should not set checkOrigin to false. Especially not for your
production app, as it is a protection against CSRF attacks. Did you try
setting the ORIGIN environment variable before starting your server like
this: ORIGIN=http://localhost:3000 node build/index.js
You can also check my blog post on the topic here
<https://www.programonaut.com/cross-site-post-form-submissions-are-forbidden-in-sveltekit/>
—
Reply to this email directly, view it on GitHub
<#7600 (reply in thread)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AE7H37OSN26BZ4ATAL4W4SDY6VXARAVCNFSM6AAAAAAR466XCGVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4TCOJTGQZTE>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
ORIGIN env variable only works while building
…On Thu, 25 Apr 2024 at 09:52, Julian Hammer ***@***.***> wrote:
I know, and I tried to set it to the ORIGIN but it still didn't work.
I put the ORIGIN into my .env do I need to do something else with it?
And how do I set the ORIGIN if the domain is https://realgolf.games and I
have a costume node server at server/app.js?
—
Reply to this email directly, view it on GitHub
<#7600 (reply in thread)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AE7H37OQU5VOBFJHL5LLYZDY7CY3TAVCNFSM6AAAAAAR466XCGVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4TEMRRHE2DO>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
Hey. I've got a pretty fresh SvelteKit installation. I'm trying to set up a login form action. When I submit the form I get the error:
Cross-site POST form submissions are forbidden
Reading up on it it seems like it could be that the ORIGIN env var isn't set (but I have set it, and it matches the origin that my requests are coming from).
If I turn of origin checking in the config then it works, but this doesn't seem like a good idea. I'd like to get it working securely if possible.
Here's my
+page.svelete
(I've simplified it by removing the components that I'm using for labels and errors etc.):And here's my
+page.server.js
file:I'm hoping these are pretty standard? Nothing odd about them? (I'm new to SvelteKit).
In my attempts to debug I added some console debugging to the
respond
function in SvelteKit'ssrc/runtime/server/index.js
file. For a single form submission (my browser shows only one network request)respond
is called twice. The first timerequest.headers.get('origin')
is set to the origin I expect. The second time it isnull
. Does that help?Thanks all!
EDIT: Silly mistakes, not importing things, etc.
Beta Was this translation helpful? Give feedback.
All reactions