fix(contact): drop Origin header when forwarding to CMS
Deploy / verify (push) Failing after 43s
Deploy / deploy (push) Has been skipped

SvelteKit already validates Origin at /api/contact; forwarding the
client Origin upstream caused the prod CMS to reject local dev
submissions (allowlist is prod-only). CMS forms plugin accepts
no-Origin requests when REQUIRE_ORIGIN=false.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Peter Meier
2026-05-21 11:44:06 +02:00
parent d03afe780e
commit bcf1502093
+3 -2
View File
@@ -36,7 +36,7 @@ const ALLOWED_ORIGINS = new Set([
"http://localhost:4173",
]);
export const POST: RequestHandler = async ({ request, getClientAddress, url }) => {
export const POST: RequestHandler = async ({ request, getClientAddress }) => {
// Origin/Referer must match — blocks naive cross-site POSTs
const origin = request.headers.get("origin") ?? "";
const referer = request.headers.get("referer") ?? "";
@@ -107,12 +107,13 @@ export const POST: RequestHandler = async ({ request, getClientAddress, url }) =
let res: Response;
try {
// No Origin header — we already validated it at this server.
// CMS forms plugin (REQUIRE_ORIGIN=false) accepts requests without one.
res = await fetch(cmsUrl, {
method: "POST",
headers: {
"Content-Type": "application/json",
"X-Forwarded-For": getClientAddress(),
Origin: url.origin,
},
body: JSON.stringify(payload),
});