Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ignore URLs that the app does not own #1487

Merged
merged 1 commit into from
May 18, 2021
Merged

ignore URLs that the app does not own #1487

merged 1 commit into from
May 18, 2021

Conversation

Rich-Harris
Copy link
Member

Need to expedite a fix to this... if you have <a> elements on the page that have the same origin but don't share a base path with the app (to take a completely random example, a link to https://nytimes.com from https://www.nytimes.com/interactive/2021/us/covid-cases.html), the router will try to intercept the navigation but crashes. The same goes for prefetch.

This PR adds a concept of URL 'ownership' that makes it possible to prevent situations like this from occurring.

Before submitting the PR, please make sure you do the following

  • It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
  • This message body should clearly illustrate what problems it solves.
  • Ideally, include a test that fails without this PR but passes with it.

Tests

  • Run the tests with pnpm test and lint the project with pnpm lint

Changesets

  • If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running pnpx changeset and following the prompts

benmccann
benmccann reviewed May 18, 2021
View reviewed changes
Copy link
Member

@benmccann benmccann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

packages/kit/src/runtime/client/router.js
const info = this.parse(url);

if (!info) {
throw new Error('Attempted to prefetch a URL that does not belong to this app');
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if it's worth trying to shorten this message the one below to save bytes shipped to the client such as: 'Attempted to prefetch external URL'

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i don't think 'external' is correct — nytimes.com isn't external to nytimes.com/interactive/2021/us/covid-cases.html, in the normal sense of that word in a URL context

packages/kit/test/apps/basics/src/routes/routing/_tests.js
'ignores navigation to URLs the app does not own',
'/routing',
async ({ page, clicknav }) => {
await clicknav('[href="https://www.google.com"]');
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there's some chance that this will cause tests to fail on the CI. I have no idea what Google will do if it thinks it's being hit by an automated bot. Maybe we should use svelte.dev?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The extra safe version would probably be to spin up another server on localhost on a different port, but that might be more hassle than it's worth, especially if this is a fix you're trying to get out quickly.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it works fine locally, so presumably google has no problem with it. agree that it's a potential source of flakiness, but realistically if google.com is inaccessible the internet probably has bigger problems that day

@Rich-Harris
Copy link
Member Author

man this is not a convenient time for github actions to flake out

@Rich-Harris Rich-Harris merged commit 37fc04f into master May 18, 2021
@Rich-Harris Rich-Harris deleted the ignore-unowned-urls branch May 18, 2021 18:33
@tobi-or-not-tobi tobi-or-not-tobi mentioned this pull request May 19, 2021
Closed
andyburke pushed a commit to andyburke-forks/kit that referenced this pull request May 25, 2021
@andyburke
ignore URLs that the app does not own (sveltejs#1487)
a4cc9cc
@benmccann benmccann mentioned this pull request Dec 20, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@benmccann benmccann benmccann left review comments

@Conduitry Conduitry Conduitry left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@Rich-Harris @benmccann @Conduitry