sveltejs · Rich-Harris · Dec 9, 2023 · Dec 6, 2023 · Dec 6, 2023 · Dec 6, 2023
diff --git a/.changeset/silent-games-taste.md b/.changeset/silent-games-taste.md
@@ -0,0 +1,5 @@
+---
+'@sveltejs/kit': major
+---
+
+breaking: disallow external navigation using `goto` by default
diff --git a/packages/kit/src/runtime/app/navigation.js b/packages/kit/src/runtime/app/navigation.js
@@ -23,7 +23,7 @@ export const disableScrollHandling = /* @__PURE__ */ client_method('disable_scro
  * @param {boolean} [opts.replaceState] If `true`, will replace the current `history` entry rather than creating a new one with `pushState`
  * @param {boolean} [opts.noScroll] If `true`, the browser will maintain its scroll position rather than scrolling to the top of the page after navigation
  * @param {boolean} [opts.keepFocus] If `true`, the currently focused element will retain focus after navigation. Otherwise, focus will be reset to the body
- * @param {boolean} [invalidateAll] If `true`, all `load` functions of the page will be rerun. See https://kit.svelte.dev/docs/load#rerunning-load-functions for more info on invalidation.
+ * @param {boolean} [opts.invalidateAll] If `true`, all `load` functions of the page will be rerun. See https://kit.svelte.dev/docs/load#rerunning-load-functions for more info on invalidation.
  * @param {any} [opts.state] The state of the new/updated history entry
  * @returns {Promise<void>}
  */

diff --git a/packages/kit/src/runtime/client/client.js b/packages/kit/src/runtime/client/client.js
@@ -1376,6 +1376,19 @@ export function create_client(app, target) {
 		},
 
 		goto: (href, opts = {}) => {
+			if (typeof href === 'string') {
+				href = new URL(href, get_base_uri(document));
+			}
+			if (href.origin !== origin) {
+				if (DEV) {
+					return Promise.reject(
+						`Cannot use \`goto\` with an external URL. Use \`window.location = "${href}"\` instead`
+					);
+				} else {
+					return Promise.reject();
+				}
+			}
+
 			return goto(href, opts, 0);
 		},
 

diff --git a/packages/kit/test/apps/basics/test/cross-platform/client.test.js b/packages/kit/test/apps/basics/test/cross-platform/client.test.js
@@ -143,11 +143,11 @@ test.describe('Navigation lifecycle functions', () => {
 
 	test('beforeNavigate prevents external navigation triggered by goto', async ({
 		page,
-		app,
 		baseURL
 	}) => {
 		await page.goto('/navigation-lifecycle/before-navigate/prevent-navigation');
-		await app.goto('https://google.de');
+		page.goto('https://google.de');
+		await page.waitForTimeout(500);
 		expect(page.url()).toBe(baseURL + '/navigation-lifecycle/before-navigate/prevent-navigation');
 		expect(await page.innerHTML('pre')).toBe('1 true goto');
 	});
@@ -216,7 +216,8 @@ test.describe('Navigation lifecycle functions', () => {
 		await page.goto('/navigation-lifecycle/before-navigate/prevent-navigation');
 		await page.click('h1'); // The browsers block attempts to prevent navigation on a frame that's never had a user gesture.
 
-		await app.goto('https://google.de');
+		page.goto('https://google.de');
+		await page.waitForTimeout(500);
 		await app.goto('/navigation-lifecycle/before-navigate/prevent-navigation?x=1');
 
 		expect(await page.innerHTML('pre')).toBe('2 false goto');