Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[fix] ensure serialized headers check is always applied #7221

Merged
merged 2 commits into from
Oct 19, 2022
Merged

[fix] ensure serialized headers check is always applied #7221

merged 2 commits into from
Oct 19, 2022

Conversation

dummdidumm
Copy link
Member

@dummdidumm dummdidumm commented Oct 11, 2022
edited

Closes #7112 - if we decide this is enough, and that we don't want some minimum whitelist. At least content-type seems like an easy win, and would save people some hassle - for example from #6412 (comment) it seems that some libraries want the content type header.

Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

  • It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
  • This message body should clearly illustrate what problems it solves.
  • Ideally, include a test that fails without this PR but passes with it.

Tests

  • Run the tests with pnpm test and lint the project with pnpm lint and pnpm check

Changesets

  • If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running pnpm changeset and following the prompts. All changesets should be patch until SvelteKit 1.0

@changeset-bot
Copy link

changeset-bot bot commented Oct 11, 2022
edited

🦋 Changeset detected

Latest commit: 40cd01b

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@sveltejs/kit Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

dummdidumm
dummdidumm commented Oct 11, 2022
View reviewed changes
packages/kit/src/runtime/server/page/load_data.js Outdated
@@ -186,6 +169,23 @@ export async function load_data({
}
});

// ensure that excluded headers can't be read
const get = response.headers.get;
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm wondering why the proxy is used instead of monkey patching the other methods as well - convenience?

Also: Should we apply this check in DEV only?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be more convenient to monkey-patch the Response methods instead of using the proxy, but we get 'illegal invocation' errors. For whatever reason that doesn't apply to Headers so we may as well do the convenient thing there.

I think it's fine to keep the error in production, since it doesn't result in extra code shipped to the client and might help someone diagnose a bug

@Rich-Harris Rich-Harris merged commit 779d575 into master Oct 19, 2022
@Rich-Harris Rich-Harris deleted the fix-headers-check branch October 19, 2022 15:22
@github-actions github-actions bot mentioned this pull request Oct 19, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Rich-Harris Rich-Harris Rich-Harris approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Content-Type for responses with sveltes fetch always text/plain on client
2 participants
@dummdidumm @Rich-Harris