Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

breaking: disallow external navigation using goto #11207

Merged
merged 15 commits into from
Dec 9, 2023
Merged

Conversation

dummdidumm
Copy link
Member

closes #8775

Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

  • It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
  • This message body should clearly illustrate what problems it solves.
  • Ideally, include a test that fails without this PR but passes with it.

Tests

  • Run the tests with pnpm test and lint the project with pnpm lint and pnpm check

Changesets

  • If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running pnpm changeset and following the prompts. Changesets that add features should be minor and those that fix bugs should be patch. Please prefix changeset messages with feat:, fix:, or chore:.

Copy link

changeset-bot bot commented Dec 6, 2023

🦋 Changeset detected

Latest commit: 87dc49f

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@sveltejs/kit Major

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@eltigerchino
Copy link
Member

Should we add a test to check that goto doesn't navigate to external URLs without the external option? Otherwise, LGTM

@benmccann benmccann added this to the 2.0 milestone Dec 6, 2023
@benmccann
Copy link
Member

I wonder if we should also add an external option in v1, allow you to navigate externally without, but log a warning if you don't use it

dummdidumm added a commit that referenced this pull request Dec 7, 2023
in preparation for SvelteKit 2
related to #8775 / #11207
@benmccann
Copy link
Member

One other question about this - should it be called external or allowExternal? You may be passing a URL that could be either internal or external in which case allowExternal makes more sense. It is slightly more verbose though...

@Rich-Harris
Copy link
Member

We concluded that there's no value in having an external option. It complicates the API for zero benefit

@Rich-Harris Rich-Harris changed the title breaking: disallow external navigation using goto by default breaking: disallow external navigation using goto Dec 8, 2023
@@ -1376,6 +1376,19 @@ export function create_client(app, target) {
},

goto: (href, opts = {}) => {
if (typeof href === 'string') {
href = new URL(href, get_base_uri(document));
Copy link
Member

@benmccann benmccann Dec 8, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there are three places we do new URL(href, get_base_uri(document)) now. is that worthy of a helper?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I only see two — where's the third?

as an aside the if (typeof href === 'string') check is arguably unnecessary, since if href (which is a badly named argument) is already a URL then it'll just be cloned harmlessly. goto isn't a hot code path so it's probably more valuable to shrink the code than to avoid the extra work

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

one is new URL(url, get_base_uri(document)), but same thing. It also has that if (typeof href === 'string') check so we could either move it into the helper or remove it. I'm fine with removing it

Copy link
Member

@Rich-Harris Rich-Harris Dec 9, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah, right. yep, have consolidated all this logic in a replacement for get_base_uri called resolve_url. much nicer, good catch

@benmccann
Copy link
Member

I don't have a strong opinion on whether this or the old API is better, but I'm fine with this change. I did notice though that the issue was created due to some worry about goto being called with javascript: URLs. Do you think we need a test for that case to prevent us from ever changing the API back or is that overkill?

Anyway, that's my last comment, so feel free to merge whenever you're happy with it

@Rich-Harris Rich-Harris merged commit dab9817 into version-2 Dec 9, 2023
13 checks passed
@Rich-Harris Rich-Harris deleted the goto-external branch December 9, 2023 01:20
@github-actions github-actions bot mentioned this pull request Dec 14, 2023
justuswilhelm added a commit to jwpconsulting/projectify that referenced this pull request Feb 22, 2024
SvelteKit's goto(url) can't navigate to third party pages anymore (makes
sense)

sveltejs/kit#11207
justuswilhelm added a commit to jwpconsulting/projectify that referenced this pull request Feb 22, 2024
SvelteKit's goto(url) can't navigate to third party pages anymore (makes
sense)

sveltejs/kit#11207
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants