breaking: disallow external navigation using goto by default

closes #8775
sveltejs · Dec 6, 2023 · 6b7d066 · 6b7d066
1 parent 19be5e5
commit 6b7d066
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 3 deletions.
diff --git a/.changeset/silent-games-taste.md b/.changeset/silent-games-taste.md
@@ -0,0 +1,5 @@
+---
+'@sveltejs/kit': major
+---
+
+breaking: disallow external navigation using `goto` by default
diff --git a/packages/kit/src/runtime/app/navigation.js b/packages/kit/src/runtime/app/navigation.js
@@ -16,14 +16,16 @@ export const disableScrollHandling = /* @__PURE__ */ client_method('disable_scro
  *   noScroll?: boolean;
  *   keepFocus?: boolean;
  *   invalidateAll?: boolean;
+ *   external?: boolean;
  *   state?: any
  * }) => Promise<void>}
  * @param {string | URL} url Where to navigate to. Note that if you've set [`config.kit.paths.base`](https://kit.svelte.dev/docs/configuration#paths) and the URL is root-relative, you need to prepend the base path if you want to navigate within the app.
  * @param {Object} [opts] Options related to the navigation
  * @param {boolean} [opts.replaceState] If `true`, will replace the current `history` entry rather than creating a new one with `pushState`
  * @param {boolean} [opts.noScroll] If `true`, the browser will maintain its scroll position rather than scrolling to the top of the page after navigation
  * @param {boolean} [opts.keepFocus] If `true`, the currently focused element will retain focus after navigation. Otherwise, focus will be reset to the body
- * @param {boolean} [invalidateAll] If `true`, all `load` functions of the page will be rerun. See https://kit.svelte.dev/docs/load#rerunning-load-functions for more info on invalidation.
+ * @param {boolean} [opts.invalidateAll] If `true`, all `load` functions of the page will be rerun. See https://kit.svelte.dev/docs/load#rerunning-load-functions for more info on invalidation.
+ * @param {boolean} [opts.external] By default, `goto` will not navigate to external URLs for consistency and security reasons. Set this to `true` to allow navigating to external URLs.
  * @param {any} [opts.state] The state of the new/updated history entry
  * @returns {Promise<void>}
  */

diff --git a/packages/kit/src/runtime/client/client.js b/packages/kit/src/runtime/client/client.js
@@ -219,7 +219,7 @@ export function create_client(app, target) {
 
 	/**
 	 * @param {string | URL} url
-	 * @param {{ noScroll?: boolean; replaceState?: boolean; keepFocus?: boolean; state?: any; invalidateAll?: boolean }} opts
+	 * @param {{ noScroll?: boolean; replaceState?: boolean; keepFocus?: boolean; state?: any; invalidateAll?: boolean, external?: boolean }} opts
 	 * @param {number} redirect_count
 	 * @param {{}} [nav_token]
 	 */
@@ -230,14 +230,23 @@ export function create_client(app, target) {
 			replaceState = false,
 			keepFocus = false,
 			state = {},
-			invalidateAll = false
+			invalidateAll = false,
+			external = false
 		},
 		redirect_count,
 		nav_token
 	) {
 		if (typeof url === 'string') {
 			url = new URL(url, get_base_uri(document));
 		}
+		if (!external && url.origin !== origin) {
+			if (DEV) {
+				throw new Error(
+					'Cannot navigate to an external URL using `goto` unless the `external` option is set'
+				);
+			}
+			return;
+		}
 
 		return navigate({
 			url,