Add filterSerializedResponseHeaders function

[Rich-Harris]

Companion to #6565. Supersedes #6541, closes #1971.

This is a breaking change — it prevents response headers that come from a fetch in load from being serialized into the HTML, unless they are explicitly included.

Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

• It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
• This message body should clearly illustrate what problems it solves.
• Ideally, include a test that fails without this PR but passes with it.

Tests

• Run the tests with pnpm test and lint the project with pnpm lint and pnpm check

Changesets

• If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running pnpm changeset and following the prompts. All changesets should be patch until SvelteKit 1.0

[changeset-bot]

🦋 Changeset detected

Latest commit: 643f664

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@sveltejs/kit	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[netlify]

✅ Deploy Preview for kit-demo ready!

Name	Link
🔨 Latest commit	c86e238
🔍 Latest deploy log	https://app.netlify.com/sites/kit-demo/deploys/6316074a2937a20008203613
😎 Deploy Preview	https://deploy-preview-6569--kit-demo.netlify.app/build
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site settings.

[Conduitry]

Are we not automatically whitelisting any headers anymore? I remember in some version of this proposal, we would automatically include content-type. That's gone?

[Rich-Harris]

It was whitelisted because some tests expected it, but that seems like a bad reason to keep it. Things like response.json() work the same way with or without content-type, so the only time you'd actually need it is if you're explicitly reading that header.

I did wonder about filtering the headers during SSR so that you'd get a 'btw you need to include this header' error

[Rich-Harris]

(though now that I think about it i have no idea if it's possible to monkey-patch response.headers like that)

[Rich-Harris]

the monkey has been patched

[bummzack]

Not forwarding the content-type header might create a lot of unwanted issues/side-effects with other libraries. It took me quite some time to figure out why the graphql-request library suddenly started erroring, even though the response was there.