-
-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement page.host #207
Comments
I've had to deal with this in the past and I remember deciding that My thought for this would be to have the adapter pass the underlying request object. Then the user could handle this and any other cases we haven't covered yet in a manner of their choosing. |
Really don't want to go down that road. What was the problem with |
I didn't envision the underlying request object being a frequently used thing, but only as an escape hatch Regarding
Express does not provide these headers by default as a result. I think we open ourselves up to people using these headers in unsafe ways without realizing that there can be issues with doing so. It's also not available in all environments because it requires load balancer configuration, which may lead to confusion. I would be okay with the idea if it were off by default and enabled with a config setting like in Express, so that people don't accidentally shoot themselves in the foot. |
Yeah, I'm not imagining it would be on by default — am thinking maybe something like this: // svelte.config.js
module.exports = {
adapter: '@adapter-node',
hostHeader: 'x-forwarded-for' // defaults to 'host', but you can change it if you trust the proxy
}; We might also need to make it overridable for the sake of static exports: // svelte.config.js
module.exports = {
adapter: '@adapter-node',
host: process.env.HOST // falls back to hostHeader if unspecified
}; |
That makes sense to me. I like the idea of making it overidable. That would also support non-exported sites where the user doesn't have control to set that flag on the load balancer |
closed via #259 |
As per sveltejs/sapper#735. This is a way to provide the
host
topreload
functions in a uniform way between server and client.Wrinkles:
host
to endpoints as well as pages, even though they could get the same information from headers?headers['x-forwarded-for']
where available? Express will only do this if the trust proxy setting is enabled — relevant tests here.The text was updated successfully, but these errors were encountered: