ignore URLs that the app does not own

.changeset/wise-bees-juggle.md

@@ -0,0 +1,5 @@
+---
+'@sveltejs/kit': patch
+---
+
+Ignore URLs that the app does not own

packages/kit/src/runtime/client/router.js

@@ -135,6 +135,8 @@ export class Router {
 			// Don't handle hash changes
 			if (url.pathname === location.pathname && url.search === location.search) return;
 
+			if (!this.owns(url)) return;
+
 			const noscroll = a.hasAttribute('sveltekit:noscroll');
 			history.pushState({}, '', url.href);
 			this._navigate(url, noscroll ? scroll_state() : null, [], url.hash);
@@ -155,22 +157,26 @@ export class Router {
 		history.replaceState(history.state || {}, '', location.href);
 	}
 
+	/** @param {URL} url */
+	owns(url) {
+		return url.origin === location.origin && url.pathname.startsWith(this.base);
+	}
+
 	/**
 	 * @param {URL} url
 	 * @returns {import('./types').NavigationInfo}
 	 */
 	parse(url) {
-		if (url.origin !== location.origin) return null;
-		if (!url.pathname.startsWith(this.base)) return null;
+		if (this.owns(url)) {
+			const path = decodeURIComponent(url.pathname.slice(this.base.length) || '/');
 
-		const path = decodeURIComponent(url.pathname.slice(this.base.length) || '/');
+			const routes = this.routes.filter(([pattern]) => pattern.test(path));
 
-		const routes = this.routes.filter(([pattern]) => pattern.test(path));
+			const query = new URLSearchParams(url.search);
+			const id = `${path}?${query}`;
 
-		const query = new URLSearchParams(url.search);
-		const id = `${path}?${query}`;
-
-		return { id, routes, path, query };
+			return { id, routes, path, query };
+		}
 	}
 
 	/**
@@ -179,14 +185,14 @@ export class Router {
 	 * @param {string[]} chain
 	 */
 	async goto(href, { noscroll = false, replaceState = false } = {}, chain) {
-		if (this.enabled) {
-			const url = new URL(href, get_base_uri(document));
+		const url = new URL(href, get_base_uri(document));
 
+		if (this.enabled && this.owns(url)) {
 			history[replaceState ? 'replaceState' : 'pushState']({}, '', href);
 			return this._navigate(url, noscroll ? scroll_state() : null, chain, url.hash);
 		}
 
-		location.href = href;
+		location.href = url.href;
 		return new Promise(() => {
 			/* never resolves */
 		});
@@ -205,7 +211,13 @@ export class Router {
 	 * @returns {Promise<import('./types').NavigationResult>}
 	 */
 	async prefetch(url) {
-		return this.renderer.load(this.parse(url));
+		const info = this.parse(url);
+
+		if (!info) {
+			throw new Error('Attempted to prefetch a URL that does not belong to this app');
+		}
+
+		return this.renderer.load(info);
 	}
 
 	/**
@@ -217,6 +229,10 @@ export class Router {
 	async _navigate(url, scroll, chain, hash) {
 		const info = this.parse(url);
 
+		if (!info) {
+			throw new Error('Attempted to navigate to a URL that does not belong to this app');
+		}
+
 		// remove trailing slashes
 		if (info.path !== '/') {
 			const has_trailing_slash = info.path.endsWith('/');

packages/kit/test/apps/basics/src/routes/routing/_tests.js

@@ -121,6 +121,15 @@ export default function (test) {
 
 			const requests2 = await capture_requests(() => app.goto('/routing/prefetched'));
 			assert.equal(requests2, []);
+
+			try {
+				await app.prefetch('https://example.com');
+				throw new Error('Error was not thrown');
+			} catch (e) {
+				assert.ok(
+					e.message.includes('Attempted to prefetch a URL that does not belong to this app')
+				);
+			}
 		}
 	});
 
@@ -200,4 +209,13 @@ export default function (test) {
 			assert.equal(await page.textContent('h2'), 'y-z');
 		}
 	);
+
+	test(
+		'ignores navigation to URLs the app does not own',
+		'/routing',
+		async ({ page, clicknav }) => {
+			await clicknav('[href="https://www.google.com"]');
+			assert.equal(await page.url(), 'https://www.google.com/');
+		}
+	);
 }

packages/kit/test/apps/basics/src/routes/routing/index.svelte

@@ -2,5 +2,6 @@
 
 <a href="/routing/a">a</a>
 <a href="/routing/ambiguous/ok.json">ok</a>
+<a href="https://www.google.com">elsewhere</a>
 
-<div class='hydrate-test'></div>
+<div class='hydrate-test'></div>