fix(contact): drop Origin header when forwarding to CMS
SvelteKit already validates Origin at /api/contact; forwarding the client Origin upstream caused the prod CMS to reject local dev submissions (allowlist is prod-only). CMS forms plugin accepts no-Origin requests when REQUIRE_ORIGIN=false. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -36,7 +36,7 @@ const ALLOWED_ORIGINS = new Set([
|
||||
"http://localhost:4173",
|
||||
]);
|
||||
|
||||
export const POST: RequestHandler = async ({ request, getClientAddress, url }) => {
|
||||
export const POST: RequestHandler = async ({ request, getClientAddress }) => {
|
||||
// Origin/Referer must match — blocks naive cross-site POSTs
|
||||
const origin = request.headers.get("origin") ?? "";
|
||||
const referer = request.headers.get("referer") ?? "";
|
||||
@@ -107,12 +107,13 @@ export const POST: RequestHandler = async ({ request, getClientAddress, url }) =
|
||||
|
||||
let res: Response;
|
||||
try {
|
||||
// No Origin header — we already validated it at this server.
|
||||
// CMS forms plugin (REQUIRE_ORIGIN=false) accepts requests without one.
|
||||
res = await fetch(cmsUrl, {
|
||||
method: "POST",
|
||||
headers: {
|
||||
"Content-Type": "application/json",
|
||||
"X-Forwarded-For": getClientAddress(),
|
||||
Origin: url.origin,
|
||||
},
|
||||
body: JSON.stringify(payload),
|
||||
});
|
||||
|
||||
Reference in New Issue
Block a user