From 8122c3c1477bf1e0b47a3146e1575c8fa5208d3b Mon Sep 17 00:00:00 2001
From: Rich Harris <hello@rich-harris.dev>
Date: Thu, 1 Sep 2022 10:39:01 -0400
Subject: [PATCH 01/10] CSRF protection by default

---
 documentation/docs/14-configuration.md               | 11 +++++++++++
 packages/kit/src/core/config/index.spec.js           |  3 +++
 packages/kit/src/core/config/options.js              |  4 ++++
 packages/kit/src/exports/vite/build/build_server.js  |  3 +++
 packages/kit/src/exports/vite/dev/index.js           |  3 +++
 packages/kit/src/runtime/server/index.js             | 10 ++++++++++
 .../kit/test/apps/basics/src/routes/csrf/+server.js  |  4 ++++
 packages/kit/test/apps/basics/test/server.test.js    | 12 ++++++++++++
 packages/kit/types/index.d.ts                        |  3 +++
 packages/kit/types/internal.d.ts                     |  3 +++
 10 files changed, 56 insertions(+)
 create mode 100644 packages/kit/test/apps/basics/src/routes/csrf/+server.js

diff --git a/documentation/docs/14-configuration.md b/documentation/docs/14-configuration.md
index 1893883bbbd0..55f0f7c97f92 100644
--- a/documentation/docs/14-configuration.md
+++ b/documentation/docs/14-configuration.md
@@ -25,6 +25,9 @@ const config = {
 				// ...
 			}
 		},
+		csrf: {
+			checkOrigin: true
+		},
 		env: {
 			dir: process.cwd(),
 			publicPrefix: 'PUBLIC_'
@@ -161,6 +164,14 @@ When pages are prerendered, the CSP header is added via a `<meta http-equiv>` ta
 
 > Note that most [Svelte transitions](https://svelte.dev/tutorial/transition) work by creating an inline `<style>` element. If you use these in your app, you must either leave the `style-src` directive unspecified or add `unsafe-inline`.
 
+### csrf
+
+Protection against [cross-site request forgery](https://owasp.org/www-community/attacks/csrf) attacks:
+
+- `checkOrigin` — if `true`, SvelteKit will check the incoming `origin` header for `POST`, `PUT`, `PATCH` and `DELETE` requests and verify that it matches the server's origin
+
+To allow people to make mutative requests to your app from other origins, you will need to disable this option. Be careful!
+
 ### env
 
 Environment variable configuration:
diff --git a/packages/kit/src/core/config/index.spec.js b/packages/kit/src/core/config/index.spec.js
index c324dd347b18..4ece16a5316c 100644
--- a/packages/kit/src/core/config/index.spec.js
+++ b/packages/kit/src/core/config/index.spec.js
@@ -72,6 +72,9 @@ const get_defaults = (prefix = '') => ({
 			directives: directive_defaults,
 			reportOnly: directive_defaults
 		},
+		csrf: {
+			checkOrigin: true
+		},
 		endpointExtensions: undefined,
 		env: {
 			dir: process.cwd(),
diff --git a/packages/kit/src/core/config/options.js b/packages/kit/src/core/config/options.js
index 9b4eefd5cf86..a442fa1d7451 100644
--- a/packages/kit/src/core/config/options.js
+++ b/packages/kit/src/core/config/options.js
@@ -125,6 +125,10 @@ const options = object(
 				reportOnly: directives
 			}),
 
+			csrf: object({
+				checkOrigin: boolean(true)
+			}),
+
 			// TODO: remove this for the 1.0 release
 			endpointExtensions: error(
 				(keypath) => `${keypath} has been renamed to config.kit.moduleExtensions`
diff --git a/packages/kit/src/exports/vite/build/build_server.js b/packages/kit/src/exports/vite/build/build_server.js
index 231243312c7c..137d358eeb75 100644
--- a/packages/kit/src/exports/vite/build/build_server.js
+++ b/packages/kit/src/exports/vite/build/build_server.js
@@ -54,6 +54,9 @@ export class Server {
 	constructor(manifest) {
 		this.options = {
 			csp: ${s(config.kit.csp)},
+			csrf: {
+				check_origin: ${s(config.kit.csrf.checkOrigin)},
+			},
 			dev: false,
 			get_stack: error => String(error), // for security
 			handle_error: (error, event) => {
diff --git a/packages/kit/src/exports/vite/dev/index.js b/packages/kit/src/exports/vite/dev/index.js
index cc6b0bd23eb1..4ce5b8fb9b27 100644
--- a/packages/kit/src/exports/vite/dev/index.js
+++ b/packages/kit/src/exports/vite/dev/index.js
@@ -377,6 +377,9 @@ export async function dev(vite, vite_config, svelte_config, illegal_imports) {
 					request,
 					{
 						csp: svelte_config.kit.csp,
+						csrf: {
+							check_origin: svelte_config.kit.csrf.checkOrigin
+						},
 						dev: true,
 						get_stack: (error) => fix_stack_trace(error),
 						handle_error: (error, event) => {
diff --git a/packages/kit/src/runtime/server/index.js b/packages/kit/src/runtime/server/index.js
index 413903640056..54a6744ce6dc 100644
--- a/packages/kit/src/runtime/server/index.js
+++ b/packages/kit/src/runtime/server/index.js
@@ -14,10 +14,20 @@ import { DATA_SUFFIX } from '../../constants.js';
 /** @param {{ html: string }} opts */
 const default_transform = ({ html }) => html;
 
+const mutative_methods = new Set(['POST', 'PUT', 'PATCH', 'DELETE']);
+
 /** @type {import('types').Respond} */
 export async function respond(request, options, state) {
 	let url = new URL(request.url);
 
+	if (
+		options.csrf.check_origin &&
+		mutative_methods.has(request.method) &&
+		request.headers.get('origin') !== url.origin
+	) {
+		return new Response(`Cross-site ${request.method} requests are forbidden`, { status: 403 });
+	}
+
 	const { parameter, allowed } = options.method_override;
 	const method_override = url.searchParams.get(parameter)?.toUpperCase();
 
diff --git a/packages/kit/test/apps/basics/src/routes/csrf/+server.js b/packages/kit/test/apps/basics/src/routes/csrf/+server.js
new file mode 100644
index 000000000000..cfbef14241d6
--- /dev/null
+++ b/packages/kit/test/apps/basics/src/routes/csrf/+server.js
@@ -0,0 +1,4 @@
+/** @type {import('./$types').RequestHandler} */
+export function POST() {
+	return new Response(undefined, { status: 201 });
+}
diff --git a/packages/kit/test/apps/basics/test/server.test.js b/packages/kit/test/apps/basics/test/server.test.js
index f22bcd6a4196..aaeef3045956 100644
--- a/packages/kit/test/apps/basics/test/server.test.js
+++ b/packages/kit/test/apps/basics/test/server.test.js
@@ -1,5 +1,6 @@
 import { expect } from '@playwright/test';
 import { test } from '../../../utils.js';
+import { fetch } from 'undici';
 import { createHash, randomBytes } from 'node:crypto';
 
 /** @typedef {import('@playwright/test').Response} Response */
@@ -22,6 +23,17 @@ test.describe('Content-Type', () => {
 	});
 });
 
+test.describe('CSRF', () => {
+	test('Blocks requests with incorrect origin', async ({ baseURL }) => {
+		const res = await fetch(`${baseURL}/csrf`, {
+			method: 'POST'
+		});
+
+		expect(res.status).toBe(403);
+		expect(await res.text()).toBe('Cross-site POST requests are forbidden');
+	});
+});
+
 test.describe('Endpoints', () => {
 	test('HEAD with matching headers but without body', async ({ request }) => {
 		const url = '/endpoint-output/body';
diff --git a/packages/kit/types/index.d.ts b/packages/kit/types/index.d.ts
index ffe84ca00789..cbbd7fb734a9 100644
--- a/packages/kit/types/index.d.ts
+++ b/packages/kit/types/index.d.ts
@@ -128,6 +128,9 @@ export interface KitConfig {
 		directives?: CspDirectives;
 		reportOnly?: CspDirectives;
 	};
+	csrf?: {
+		checkOrigin?: boolean;
+	};
 	env?: {
 		dir?: string;
 		publicPrefix?: string;
diff --git a/packages/kit/types/internal.d.ts b/packages/kit/types/internal.d.ts
index 234af54f8732..508a7bb6ee51 100644
--- a/packages/kit/types/internal.d.ts
+++ b/packages/kit/types/internal.d.ts
@@ -290,6 +290,9 @@ export type SSRNodeLoader = () => Promise<SSRNode>;
 
 export interface SSROptions {
 	csp: ValidatedConfig['kit']['csp'];
+	csrf: {
+		check_origin: boolean;
+	};
 	dev: boolean;
 	get_stack: (error: Error) => string | undefined;
 	handle_error(error: Error & { frame?: string }, event: RequestEvent): void;

From 2fa598be17b07ec603285fe667c353f0fa1ba71e Mon Sep 17 00:00:00 2001
From: Rich Harris <hello@rich-harris.dev>
Date: Thu, 1 Sep 2022 10:39:38 -0400
Subject: [PATCH 02/10] changeset

---
 .changeset/strange-apples-vanish.md | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 .changeset/strange-apples-vanish.md

diff --git a/.changeset/strange-apples-vanish.md b/.changeset/strange-apples-vanish.md
new file mode 100644
index 000000000000..5a47c8d60e26
--- /dev/null
+++ b/.changeset/strange-apples-vanish.md
@@ -0,0 +1,5 @@
+---
+'@sveltejs/kit': patch
+---
+
+[breaking] block cross-site mutative requests by default. disable with config.kit.csrf.checkOrigin

From 0f508a68221576c4f9d6d02ec1eaaa530eb7863a Mon Sep 17 00:00:00 2001
From: Rich Harris <hello@rich-harris.dev>
Date: Thu, 1 Sep 2022 11:50:56 -0400
Subject: [PATCH 03/10] fix tests

---
 packages/kit/src/runtime/server/index.js      |  5 ++---
 packages/kit/src/runtime/server/page/fetch.js |  6 +++++
 packages/kit/src/utils/http.js                |  7 ++++++
 .../kit/test/apps/basics/test/server.test.js  | 22 ++++++++++++++-----
 4 files changed, 31 insertions(+), 9 deletions(-)

diff --git a/packages/kit/src/runtime/server/index.js b/packages/kit/src/runtime/server/index.js
index 54a6744ce6dc..82df443fb502 100644
--- a/packages/kit/src/runtime/server/index.js
+++ b/packages/kit/src/runtime/server/index.js
@@ -8,21 +8,20 @@ import { decode_params, disable_search, normalize_path } from '../../utils/url.j
 import { exec } from '../../utils/routing.js';
 import { render_data } from './data/index.js';
 import { DATA_SUFFIX } from '../../constants.js';
+import { is_mutative_method } from '../../utils/http.js';
 
 /* global __SVELTEKIT_ADAPTER_NAME__ */
 
 /** @param {{ html: string }} opts */
 const default_transform = ({ html }) => html;
 
-const mutative_methods = new Set(['POST', 'PUT', 'PATCH', 'DELETE']);
-
 /** @type {import('types').Respond} */
 export async function respond(request, options, state) {
 	let url = new URL(request.url);
 
 	if (
 		options.csrf.check_origin &&
-		mutative_methods.has(request.method) &&
+		is_mutative_method(request.method) &&
 		request.headers.get('origin') !== url.origin
 	) {
 		return new Response(`Cross-site ${request.method} requests are forbidden`, { status: 403 });
diff --git a/packages/kit/src/runtime/server/page/fetch.js b/packages/kit/src/runtime/server/page/fetch.js
index adde5f994fb8..970869383534 100644
--- a/packages/kit/src/runtime/server/page/fetch.js
+++ b/packages/kit/src/runtime/server/page/fetch.js
@@ -3,6 +3,7 @@ import * as set_cookie_parser from 'set-cookie-parser';
 import { respond } from '../index.js';
 import { is_root_relative, resolve } from '../../../utils/url.js';
 import { domain_matches, path_matches } from './cookie.js';
+import { is_mutative_method } from '../../../utils/http.js';
 
 /**
  * @param {{
@@ -132,6 +133,11 @@ export function create_fetch({ event, options, state, route, prerender_default }
 				throw new Error('Request body must be a string');
 			}
 
+			// we need to set an origin header if it's not a GET request
+			if (is_mutative_method((opts.method ?? 'GET').toUpperCase())) {
+				opts.headers.set('origin', event.url.origin);
+			}
+
 			response = await respond(
 				new Request(new URL(requested, event.url).href, { ...opts }),
 				options,
diff --git a/packages/kit/src/utils/http.js b/packages/kit/src/utils/http.js
index 434a0f1f869f..55877dfd9a07 100644
--- a/packages/kit/src/utils/http.js
+++ b/packages/kit/src/utils/http.js
@@ -53,3 +53,10 @@ export function negotiate(accept, types) {
 
 	return accepted;
 }
+
+const mutative_methods = new Set(['POST', 'PUT', 'PATCH', 'DELETE']);
+
+/** @param {string} method */
+export function is_mutative_method(method) {
+	return mutative_methods.has(method);
+}
diff --git a/packages/kit/test/apps/basics/test/server.test.js b/packages/kit/test/apps/basics/test/server.test.js
index aaeef3045956..b393fbad6447 100644
--- a/packages/kit/test/apps/basics/test/server.test.js
+++ b/packages/kit/test/apps/basics/test/server.test.js
@@ -103,10 +103,15 @@ test.describe('Endpoints', () => {
 	});
 
 	// TODO see above
-	test('request body can be read slow', async ({ request }) => {
+	test('request body can be read slow', async ({ baseURL, request }) => {
 		const data = randomBytes(1024 * 256);
 		const digest = createHash('sha256').update(data).digest('base64url');
-		const response = await request.put('/endpoint-input/sha256', { data });
+		const response = await request.put('/endpoint-input/sha256', {
+			data,
+			headers: {
+				origin: new URL(baseURL).origin
+			}
+		});
 		expect(await response.text()).toEqual(digest);
 	});
 });
@@ -121,8 +126,12 @@ test.describe('Errors', () => {
 		);
 	});
 
-	test('unhandled http method', async ({ request }) => {
-		const response = await request.put('/errors/invalid-route-response');
+	test('unhandled http method', async ({ baseURL, request }) => {
+		const response = await request.put('/errors/invalid-route-response', {
+			headers: {
+				origin: new URL(baseURL).origin
+			}
+		});
 
 		expect(response.status()).toBe(405);
 		expect(await response.text()).toMatch('PUT method not allowed');
@@ -269,10 +278,11 @@ test.describe('Routing', () => {
 });
 
 test.describe('Shadowed pages', () => {
-	test('Action can return undefined', async ({ request }) => {
+	test('Action can return undefined', async ({ baseURL, request }) => {
 		const response = await request.post('/shadowed/simple/post', {
 			headers: {
-				accept: 'application/json'
+				accept: 'application/json',
+				origin: new URL(baseURL).origin
 			}
 		});
 

From 36a14b352fa773093b82a2a4b93e51e9cf2f681c Mon Sep 17 00:00:00 2001
From: Rich Harris <hello@rich-harris.dev>
Date: Thu, 1 Sep 2022 12:07:26 -0400
Subject: [PATCH 04/10] POST alone

---
 documentation/docs/14-configuration.md        | 4 ++--
 packages/kit/src/runtime/server/index.js      | 3 +--
 packages/kit/src/runtime/server/page/fetch.js | 6 +++---
 packages/kit/src/utils/http.js                | 7 -------
 4 files changed, 6 insertions(+), 14 deletions(-)

diff --git a/documentation/docs/14-configuration.md b/documentation/docs/14-configuration.md
index 55f0f7c97f92..1ccacb7cd2d6 100644
--- a/documentation/docs/14-configuration.md
+++ b/documentation/docs/14-configuration.md
@@ -168,9 +168,9 @@ When pages are prerendered, the CSP header is added via a `<meta http-equiv>` ta
 
 Protection against [cross-site request forgery](https://owasp.org/www-community/attacks/csrf) attacks:
 
-- `checkOrigin` — if `true`, SvelteKit will check the incoming `origin` header for `POST`, `PUT`, `PATCH` and `DELETE` requests and verify that it matches the server's origin
+- `checkOrigin` — if `true`, SvelteKit will check the incoming `origin` header for `POST` requests and verify that it matches the server's origin
 
-To allow people to make mutative requests to your app from other origins, you will need to disable this option. Be careful!
+To allow people to make `POST` requests to your app from other origins, you will need to disable this option. Be careful!
 
 ### env
 
diff --git a/packages/kit/src/runtime/server/index.js b/packages/kit/src/runtime/server/index.js
index 82df443fb502..9aa0c7b7a86b 100644
--- a/packages/kit/src/runtime/server/index.js
+++ b/packages/kit/src/runtime/server/index.js
@@ -8,7 +8,6 @@ import { decode_params, disable_search, normalize_path } from '../../utils/url.j
 import { exec } from '../../utils/routing.js';
 import { render_data } from './data/index.js';
 import { DATA_SUFFIX } from '../../constants.js';
-import { is_mutative_method } from '../../utils/http.js';
 
 /* global __SVELTEKIT_ADAPTER_NAME__ */
 
@@ -21,7 +20,7 @@ export async function respond(request, options, state) {
 
 	if (
 		options.csrf.check_origin &&
-		is_mutative_method(request.method) &&
+		request.method === 'POST' &&
 		request.headers.get('origin') !== url.origin
 	) {
 		return new Response(`Cross-site ${request.method} requests are forbidden`, { status: 403 });
diff --git a/packages/kit/src/runtime/server/page/fetch.js b/packages/kit/src/runtime/server/page/fetch.js
index 970869383534..1e3c566b815c 100644
--- a/packages/kit/src/runtime/server/page/fetch.js
+++ b/packages/kit/src/runtime/server/page/fetch.js
@@ -3,7 +3,6 @@ import * as set_cookie_parser from 'set-cookie-parser';
 import { respond } from '../index.js';
 import { is_root_relative, resolve } from '../../../utils/url.js';
 import { domain_matches, path_matches } from './cookie.js';
-import { is_mutative_method } from '../../../utils/http.js';
 
 /**
  * @param {{
@@ -133,8 +132,9 @@ export function create_fetch({ event, options, state, route, prerender_default }
 				throw new Error('Request body must be a string');
 			}
 
-			// we need to set an origin header if it's not a GET request
-			if (is_mutative_method((opts.method ?? 'GET').toUpperCase())) {
+			// we need to set an origin header if it's a POST request, to avoid
+			// CSRF protection blocking this request
+			if (opts.method?.toUpperCase() === 'POST') {
 				opts.headers.set('origin', event.url.origin);
 			}
 
diff --git a/packages/kit/src/utils/http.js b/packages/kit/src/utils/http.js
index 55877dfd9a07..434a0f1f869f 100644
--- a/packages/kit/src/utils/http.js
+++ b/packages/kit/src/utils/http.js
@@ -53,10 +53,3 @@ export function negotiate(accept, types) {
 
 	return accepted;
 }
-
-const mutative_methods = new Set(['POST', 'PUT', 'PATCH', 'DELETE']);
-
-/** @param {string} method */
-export function is_mutative_method(method) {
-	return mutative_methods.has(method);
-}

From 204ee61d8e11312cfca3288fcf047a498266678d Mon Sep 17 00:00:00 2001
From: Rich Harris <hello@rich-harris.dev>
Date: Thu, 1 Sep 2022 12:19:13 -0400
Subject: [PATCH 05/10] restrict to form submissions

---
 documentation/docs/14-configuration.md        |  4 ++--
 packages/kit/src/runtime/server/index.js      | 19 +++++++++++++------
 .../kit/test/apps/basics/test/server.test.js  |  2 +-
 3 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/documentation/docs/14-configuration.md b/documentation/docs/14-configuration.md
index 1ccacb7cd2d6..6fe48cd98585 100644
--- a/documentation/docs/14-configuration.md
+++ b/documentation/docs/14-configuration.md
@@ -168,9 +168,9 @@ When pages are prerendered, the CSP header is added via a `<meta http-equiv>` ta
 
 Protection against [cross-site request forgery](https://owasp.org/www-community/attacks/csrf) attacks:
 
-- `checkOrigin` — if `true`, SvelteKit will check the incoming `origin` header for `POST` requests and verify that it matches the server's origin
+- `checkOrigin` — if `true`, SvelteKit will check the incoming `origin` header for `POST` form submissions and verify that it matches the server's origin
 
-To allow people to make `POST` requests to your app from other origins, you will need to disable this option. Be careful!
+To allow people to make `POST` form submissions to your app from other origins, you will need to disable this option. Be careful!
 
 ### env
 
diff --git a/packages/kit/src/runtime/server/index.js b/packages/kit/src/runtime/server/index.js
index 9aa0c7b7a86b..2bbc8aa97fe9 100644
--- a/packages/kit/src/runtime/server/index.js
+++ b/packages/kit/src/runtime/server/index.js
@@ -18,12 +18,19 @@ const default_transform = ({ html }) => html;
 export async function respond(request, options, state) {
 	let url = new URL(request.url);
 
-	if (
-		options.csrf.check_origin &&
-		request.method === 'POST' &&
-		request.headers.get('origin') !== url.origin
-	) {
-		return new Response(`Cross-site ${request.method} requests are forbidden`, { status: 403 });
+	if (options.csrf.check_origin) {
+		const type = request.headers.get('content-type');
+
+		const forbidden =
+			request.method === 'POST' &&
+			request.headers.get('origin') !== url.origin &&
+			(type === 'application/x-www-form-urlencoded' || type === 'multipart/form-data');
+
+		if (forbidden) {
+			return new Response(`Cross-site ${request.method} form submissions are forbidden`, {
+				status: 403
+			});
+		}
 	}
 
 	const { parameter, allowed } = options.method_override;
diff --git a/packages/kit/test/apps/basics/test/server.test.js b/packages/kit/test/apps/basics/test/server.test.js
index b393fbad6447..8325775d1101 100644
--- a/packages/kit/test/apps/basics/test/server.test.js
+++ b/packages/kit/test/apps/basics/test/server.test.js
@@ -30,7 +30,7 @@ test.describe('CSRF', () => {
 		});
 
 		expect(res.status).toBe(403);
-		expect(await res.text()).toBe('Cross-site POST requests are forbidden');
+		expect(await res.text()).toBe('Cross-site POST form submissions are forbidden');
 	});
 });
 

From cd470f8184127c6da80317a6c3e10d80515dc726 Mon Sep 17 00:00:00 2001
From: Rich Harris <hello@rich-harris.dev>
Date: Thu, 1 Sep 2022 12:32:10 -0400
Subject: [PATCH 06/10] fix content-type check

---
 packages/kit/src/runtime/server/index.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/kit/src/runtime/server/index.js b/packages/kit/src/runtime/server/index.js
index 2bbc8aa97fe9..ec142c6ece25 100644
--- a/packages/kit/src/runtime/server/index.js
+++ b/packages/kit/src/runtime/server/index.js
@@ -19,7 +19,7 @@ export async function respond(request, options, state) {
 	let url = new URL(request.url);
 
 	if (options.csrf.check_origin) {
-		const type = request.headers.get('content-type');
+		const type = request.headers.get('content-type')?.split(';')[0];
 
 		const forbidden =
 			request.method === 'POST' &&

From e60a953bc9be59999cc940e5815744b4a90e66f6 Mon Sep 17 00:00:00 2001
From: Rich Harris <richard.a.harris@gmail.com>
Date: Thu, 1 Sep 2022 12:33:29 -0400
Subject: [PATCH 07/10] Update .changeset/strange-apples-vanish.md

Co-authored-by: Conduitry <git@chor.date>
---
 .changeset/strange-apples-vanish.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.changeset/strange-apples-vanish.md b/.changeset/strange-apples-vanish.md
index 5a47c8d60e26..ff1256d8c230 100644
--- a/.changeset/strange-apples-vanish.md
+++ b/.changeset/strange-apples-vanish.md
@@ -2,4 +2,4 @@
 '@sveltejs/kit': patch
 ---
 
-[breaking] block cross-site mutative requests by default. disable with config.kit.csrf.checkOrigin
+[breaking] block cross-site form POSTs by default. disable with config.kit.csrf.checkOrigin

From 90577b801befbf3e97bf13347e503356daa56c03 Mon Sep 17 00:00:00 2001
From: Rich Harris <hello@rich-harris.dev>
Date: Thu, 1 Sep 2022 12:33:40 -0400
Subject: [PATCH 08/10] undo test changes

---
 packages/kit/src/runtime/server/page/fetch.js |  6 ------
 .../kit/test/apps/basics/test/server.test.js  | 20 ++++++-------------
 2 files changed, 6 insertions(+), 20 deletions(-)

diff --git a/packages/kit/src/runtime/server/page/fetch.js b/packages/kit/src/runtime/server/page/fetch.js
index 1e3c566b815c..adde5f994fb8 100644
--- a/packages/kit/src/runtime/server/page/fetch.js
+++ b/packages/kit/src/runtime/server/page/fetch.js
@@ -132,12 +132,6 @@ export function create_fetch({ event, options, state, route, prerender_default }
 				throw new Error('Request body must be a string');
 			}
 
-			// we need to set an origin header if it's a POST request, to avoid
-			// CSRF protection blocking this request
-			if (opts.method?.toUpperCase() === 'POST') {
-				opts.headers.set('origin', event.url.origin);
-			}
-
 			response = await respond(
 				new Request(new URL(requested, event.url).href, { ...opts }),
 				options,
diff --git a/packages/kit/test/apps/basics/test/server.test.js b/packages/kit/test/apps/basics/test/server.test.js
index 8325775d1101..d878e57f7ebb 100644
--- a/packages/kit/test/apps/basics/test/server.test.js
+++ b/packages/kit/test/apps/basics/test/server.test.js
@@ -103,14 +103,11 @@ test.describe('Endpoints', () => {
 	});
 
 	// TODO see above
-	test('request body can be read slow', async ({ baseURL, request }) => {
+	test('request body can be read slow', async ({ request }) => {
 		const data = randomBytes(1024 * 256);
 		const digest = createHash('sha256').update(data).digest('base64url');
 		const response = await request.put('/endpoint-input/sha256', {
-			data,
-			headers: {
-				origin: new URL(baseURL).origin
-			}
+			data
 		});
 		expect(await response.text()).toEqual(digest);
 	});
@@ -126,12 +123,8 @@ test.describe('Errors', () => {
 		);
 	});
 
-	test('unhandled http method', async ({ baseURL, request }) => {
-		const response = await request.put('/errors/invalid-route-response', {
-			headers: {
-				origin: new URL(baseURL).origin
-			}
-		});
+	test('unhandled http method', async ({ request }) => {
+		const response = await request.put('/errors/invalid-route-response');
 
 		expect(response.status()).toBe(405);
 		expect(await response.text()).toMatch('PUT method not allowed');
@@ -278,11 +271,10 @@ test.describe('Routing', () => {
 });
 
 test.describe('Shadowed pages', () => {
-	test('Action can return undefined', async ({ baseURL, request }) => {
+	test('Action can return undefined', async ({ request }) => {
 		const response = await request.post('/shadowed/simple/post', {
 			headers: {
-				accept: 'application/json',
-				origin: new URL(baseURL).origin
+				accept: 'application/json'
 			}
 		});
 

From 715afed1a2514518101f325b9488c927b027bfac Mon Sep 17 00:00:00 2001
From: Rich Harris <hello@rich-harris.dev>
Date: Thu, 1 Sep 2022 12:34:46 -0400
Subject: [PATCH 09/10] revert formatting change

---
 packages/kit/test/apps/basics/test/server.test.js | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/packages/kit/test/apps/basics/test/server.test.js b/packages/kit/test/apps/basics/test/server.test.js
index d878e57f7ebb..a7bf2b0d4143 100644
--- a/packages/kit/test/apps/basics/test/server.test.js
+++ b/packages/kit/test/apps/basics/test/server.test.js
@@ -106,9 +106,7 @@ test.describe('Endpoints', () => {
 	test('request body can be read slow', async ({ request }) => {
 		const data = randomBytes(1024 * 256);
 		const digest = createHash('sha256').update(data).digest('base64url');
-		const response = await request.put('/endpoint-input/sha256', {
-			data
-		});
+		const response = await request.put('/endpoint-input/sha256', { data });
 		expect(await response.text()).toEqual(digest);
 	});
 });

From 65508b0c26f0db66dfc4a919f03cdecc4edb835b Mon Sep 17 00:00:00 2001
From: Rich Harris <hello@rich-harris.dev>
Date: Thu, 1 Sep 2022 12:49:09 -0400
Subject: [PATCH 10/10] blurgh

---
 packages/kit/test/apps/basics/test/server.test.js | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/packages/kit/test/apps/basics/test/server.test.js b/packages/kit/test/apps/basics/test/server.test.js
index a7bf2b0d4143..9cf989154092 100644
--- a/packages/kit/test/apps/basics/test/server.test.js
+++ b/packages/kit/test/apps/basics/test/server.test.js
@@ -26,7 +26,10 @@ test.describe('Content-Type', () => {
 test.describe('CSRF', () => {
 	test('Blocks requests with incorrect origin', async ({ baseURL }) => {
 		const res = await fetch(`${baseURL}/csrf`, {
-			method: 'POST'
+			method: 'POST',
+			headers: {
+				'content-type': 'application/x-www-form-urlencoded'
+			}
 		});
 
 		expect(res.status).toBe(403);