fix(contact): drop Origin header when forwarding to CMS
SvelteKit already validates Origin at /api/contact; forwarding the client Origin upstream caused the prod CMS to reject local dev submissions (allowlist is prod-only). CMS forms plugin accepts no-Origin requests when REQUIRE_ORIGIN=false. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -36,7 +36,7 @@ const ALLOWED_ORIGINS = new Set([
|
|||||||
"http://localhost:4173",
|
"http://localhost:4173",
|
||||||
]);
|
]);
|
||||||
|
|
||||||
export const POST: RequestHandler = async ({ request, getClientAddress, url }) => {
|
export const POST: RequestHandler = async ({ request, getClientAddress }) => {
|
||||||
// Origin/Referer must match — blocks naive cross-site POSTs
|
// Origin/Referer must match — blocks naive cross-site POSTs
|
||||||
const origin = request.headers.get("origin") ?? "";
|
const origin = request.headers.get("origin") ?? "";
|
||||||
const referer = request.headers.get("referer") ?? "";
|
const referer = request.headers.get("referer") ?? "";
|
||||||
@@ -107,12 +107,13 @@ export const POST: RequestHandler = async ({ request, getClientAddress, url }) =
|
|||||||
|
|
||||||
let res: Response;
|
let res: Response;
|
||||||
try {
|
try {
|
||||||
|
// No Origin header — we already validated it at this server.
|
||||||
|
// CMS forms plugin (REQUIRE_ORIGIN=false) accepts requests without one.
|
||||||
res = await fetch(cmsUrl, {
|
res = await fetch(cmsUrl, {
|
||||||
method: "POST",
|
method: "POST",
|
||||||
headers: {
|
headers: {
|
||||||
"Content-Type": "application/json",
|
"Content-Type": "application/json",
|
||||||
"X-Forwarded-For": getClientAddress(),
|
"X-Forwarded-For": getClientAddress(),
|
||||||
Origin: url.origin,
|
|
||||||
},
|
},
|
||||||
body: JSON.stringify(payload),
|
body: JSON.stringify(payload),
|
||||||
});
|
});
|
||||||
|
|||||||
Reference in New Issue
Block a user