add Origin header on fetcher to avoid CORS error: No 'Access-Control-Allow-Origin' header error (with PR)

[opensas]

Describe the bug

I'm working locally from localhost:3000 against a local rest server listening at localhost:8080

Sveltekit is not sending the Origin header, and thus the server is not responding with the access-control-allow-origin: http://localhost:3000 header.

Tested with curl:

curl -v --request GET   --url http://localhost:8080/v1/endpoint --header 'Origin: http://localhost:3000'

< HTTP/1.1 200 OK
< access-control-allow-credentials: true
< access-control-allow-origin: http://localhost:3000
< content-length: 1332
< content-type: application/json

and without the header:

curl -v --request GET   --url http://localhost:8080/v1/endpoint'

< HTTP/1.1 200 OK
< content-length: 1332
< content-type: application/json
< date: Wed, 21 Sep 2022 17:09:55 GMT
< 
{ [1332 bytes data]

Reproduction

This github repo contains a complete example: https://github.com/opensas/sveltekit-cors-issue

Steps to reproduce from gitpod

open gitpod instance of this repo: https://gitpod.io/#https://github.com/opensas/sveltekit-cors-issue

terminal 1:

$ cd api
npm install
$ node index.js
server is listening on port 2020

terminal 2

$ cd frontend/
$ npm install
$ npm run dev

  VITE v3.1.3  ready in 559 ms

  ➜  Local:   http://127.0.0.1:5173/
  ➜  Network: use --host to expose

Click on Open Browser

Click on server (initially it will work because it will be fetching data from the client using the load function)

Press F5 (it will fail with a 500 - Internal Error, because will try to fetch data from the server using the load function)

Logs

  VITE v3.1.3  ready in 539 ms

  ➜  Local:   http://127.0.0.1:5173/
  ➜  Network: use --host to expose
CORS error: No 'Access-Control-Allow-Origin' header is present on the requested resource
Error: CORS error: No 'Access-Control-Allow-Origin' header is present on the requested resource
    at fetch (file:///workspace/sveltekit-cors-issue/frontend/node_modules/@sveltejs/kit/src/runtime/server/page/fetch.js:100:15)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async fetcher (file:///workspace/sveltekit-cors-issue/frontend/node_modules/@sveltejs/kit/src/runtime/server/page/fetch.js:63:20)
    at async load (/src/routes/server/+page.js:2:19)
    at async load_data (file:///workspace/sveltekit-cors-issue/frontend/node_modules/@sveltejs/kit/src/runtime/server/page/load_data.js:109:15)
    at async file:///workspace/sveltekit-cors-issue/frontend/node_modules/@sveltejs/kit/src/runtime/server/page/index.js:170:13

System Info

$ npx envinfo --system --binaries --browsers --npmPackages "{svelte,@sveltejs/*,vite}"
Need to install the following packages:
  envinfo@7.8.1
Ok to proceed? (y) y

  System:
    OS: Linux 5.15 Ubuntu 20.04.5 LTS (Focal Fossa)
    CPU: (16) x64 AMD EPYC 7B13
    Memory: 44.04 GB / 62.80 GB
    Container: Yes
    Shell: 5.0.17 - /bin/bash
  Binaries:
    Node: 16.17.0 - ~/.nvm/versions/node/v16.17.0/bin/node
    Yarn: 1.22.19 - ~/.nvm/versions/node/v16.17.0/bin/yarn
    npm: 8.15.0 - ~/.nvm/versions/node/v16.17.0/bin/npm
  npmPackages:
    @sveltejs/adapter-auto: next => 1.0.0-next.78 
    @sveltejs/kit: next => 1.0.0-next.492 
    svelte: ^3.44.0 => 3.50.1 
    vite: ^3.1.0 => 3.1.3 

Severity

blocking all usage of SvelteKit

Additional Information

This PR addresses the issue

[Conduitry]

Is this different from #6608 / #6901?

[opensas]

oops, sorry, I searched for CORS but missed those issues.
perhaps the repo with the reproducible issue might be helpful...
Thanks!