fix(contact): drop Origin header when forwarding to CMS
Deploy / verify (push) Failing after 43s
Deploy / deploy (push) Has been skipped

SvelteKit already validates Origin at /api/contact; forwarding the
client Origin upstream caused the prod CMS to reject local dev
submissions (allowlist is prod-only). CMS forms plugin accepts
no-Origin requests when REQUIRE_ORIGIN=false.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Peter Meier
2026-05-21 11:44:06 +02:00
parent d03afe780e
commit bcf1502093
+3 -2
View File
@@ -36,7 +36,7 @@ const ALLOWED_ORIGINS = new Set([
"http://localhost:4173", "http://localhost:4173",
]); ]);
export const POST: RequestHandler = async ({ request, getClientAddress, url }) => { export const POST: RequestHandler = async ({ request, getClientAddress }) => {
// Origin/Referer must match — blocks naive cross-site POSTs // Origin/Referer must match — blocks naive cross-site POSTs
const origin = request.headers.get("origin") ?? ""; const origin = request.headers.get("origin") ?? "";
const referer = request.headers.get("referer") ?? ""; const referer = request.headers.get("referer") ?? "";
@@ -107,12 +107,13 @@ export const POST: RequestHandler = async ({ request, getClientAddress, url }) =
let res: Response; let res: Response;
try { try {
// No Origin header — we already validated it at this server.
// CMS forms plugin (REQUIRE_ORIGIN=false) accepts requests without one.
res = await fetch(cmsUrl, { res = await fetch(cmsUrl, {
method: "POST", method: "POST",
headers: { headers: {
"Content-Type": "application/json", "Content-Type": "application/json",
"X-Forwarded-For": getClientAddress(), "X-Forwarded-For": getClientAddress(),
Origin: url.origin,
}, },
body: JSON.stringify(payload), body: JSON.stringify(payload),
}); });