My payment providers is getting `403 Forbidden: Cross-site POST form submissions are forbidden`. trustedOrigins not helping.

[samal-rasmussen]

Describe the bug

My payment providers is getting 403 Forbidden: Cross-site POST form submissions are forbidden when making their success callback to my site after a payment.

trustedOrigins not helping as my payment provider doesn't set headers.origin, which is the only thing trustedOrigins checks as far as I can see. The payment provider sets their hostname in referrer instead.

So a fix would be to add a check for headers.referrer here too:

kit/packages/kit/src/runtime/server/respond.js

Line 78 in 9909a29

const request_origin = request.headers.get('origin');

Reproduction

Derp. Is this even feasible to do?

Logs

System Info

System:
    OS: macOS 15.6.1
    CPU: (8) arm64 Apple M1 Pro
    Memory: 114.30 MB / 16.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 22.18.0 - /Users/samalrasmussen/.nvm/versions/node/v22.18.0/bin/node
    Yarn: 1.22.22 - /opt/homebrew/bin/yarn
    npm: 11.6.0 - /Users/samalrasmussen/.nvm/versions/node/v22.18.0/bin/npm
    pnpm: 10.14.0 - /Users/samalrasmussen/Library/pnpm/pnpm
    Deno: 1.35.2 - /Users/samalrasmussen/.deno/bin/deno
    Watchman: 2025.06.30.00 - /opt/homebrew/bin/watchman
  Browsers:
    Brave Browser: 140.1.82.173
    Chrome: 141.0.7390.55
    Firefox: 144.0.2
    Safari: 18.6
  npmPackages:
    @sveltejs/adapter-node: 5.3.3 => 5.3.3 
    @sveltejs/kit: 2.43.7 => 2.43.7 
    @sveltejs/vite-plugin-svelte: 6.2.1 => 6.2.1 
    svelte: 5.39.8 => 5.39.8 
    vite: 7.1.8 => 7.1.8

Severity

blocking an upgrade

Additional Information

No response

[Conduitry]

Can you manually set Origin (based on the headers they do send, or based on whatever else you choose) in your handle hook? I don't think we should make changes to SK to accommodate things that are making calls that look like FormData POSTs to your website but which don't make them sufficiently look like what a browser would actually be sending.

[samal-rasmussen]

Thank you for the suggestion Conduitry. That would have been an ok workaround, but unfortunately it seems the csrf check happens before hooks.handle is called. It happens way down here:

kit/packages/kit/src/runtime/server/respond.js

Line 418 in 9909a29

options.hooks.handle({

I tried putting a console.log in hooks.server.ts implementation and it's not logging anything when the csrf check fails and it responds with 403.

For now I am using patch-package to patch the csrf check in respond.js, so it checks the header I need to check.

[Conduitry]

I see. I had forgotten and/or not realized that. I see now that the CSRF checks happen quite early in the request handling, before SvelteKit even figures out what route this is.

I don't think that a fallback check for Referer makes sense as a general solution. For server-to-server calls like this one, there's not any more of a reason for them to contain Referer than there is for them to contain Origin, and falling back to Referer would only help services like this payment processor that do happen to include Referer but not Origin.

I chatted with other maintainers about this for a little while, and I think what I would currently propose as a solution would be to expose SvelteKit's default CSRF checking logic in some way as an exported callback function from the @sveltejs/kit package or from the $app module. You would then need to disable the default CSRF checks entirely (with trustedOrigins: ['*']), and then manually conditionally call this new callback as the first thing in your handle hook. You could then decide not to call it when the Referer matches this payment processor, or you could decide not to call it for one specific route, or however else you decide you want to deal with this.

[samal-rasmussen]

Ok, sounds like a nice minimal change to the sveltekit api that also gives full flexibility.

If I understand correctly then I guess this new exported default csrf check implementation would need to take trustedOrigins as an argument or else it would also be disabled when I call it from hooks and have * in trustedOrigins in the config.