Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

breaking: disallow external navigation using goto #11207

Merged
merged 15 commits into from
Dec 9, 2023
Merged

breaking: disallow external navigation using goto #11207

merged 15 commits into from
Dec 9, 2023

Conversation

dummdidumm
Copy link
Member

closes #8775

Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

  • It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
  • This message body should clearly illustrate what problems it solves.
  • Ideally, include a test that fails without this PR but passes with it.

Tests

  • Run the tests with pnpm test and lint the project with pnpm lint and pnpm check

Changesets

  • If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running pnpm changeset and following the prompts. Changesets that add features should be minor and those that fix bugs should be patch. Please prefix changeset messages with feat:, fix:, or chore:.

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Dec 6, 2023
edited
Loading

🦋 Changeset detected

Latest commit: 87dc49f

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@sveltejs/kit Major

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@eltigerchino
Copy link
Member

Should we add a test to check that goto doesn't navigate to external URLs without the external option? Otherwise, LGTM

@benmccann benmccann added this to the 2.0 milestone Dec 6, 2023
@benmccann
Copy link
Member

I wonder if we should also add an external option in v1, allow you to navigate externally without, but log a warning if you don't use it

dummdidumm added a commit that referenced this pull request Dec 7, 2023
@dummdidumm
feat: warn on external goto navigation
1303712 
in preparation for SvelteKit 2
related to #8775 / #11207
@dummdidumm dummdidumm mentioned this pull request Dec 7, 2023
Closed
5 tasks
@benmccann
Copy link
Member

One other question about this - should it be called external or allowExternal? You may be passing a URL that could be either internal or external in which case allowExternal makes more sense. It is slightly more verbose though...

@Rich-Harris
Copy link
Member

We concluded that there's no value in having an external option. It complicates the API for zero benefit

@Rich-Harris Rich-Harris changed the title breaking: disallow external navigation using goto by default breaking: disallow external navigation using goto Dec 8, 2023
@Rich-Harris @benmccann
Update packages/kit/src/exports/public.d.ts
4ddf16d 
Co-authored-by: Ben McCann <322311+benmccann@users.noreply.github.com>
benmccann
benmccann reviewed Dec 8, 2023
View reviewed changes
packages/kit/src/runtime/client/client.js Outdated
@@ -1376,6 +1376,19 @@ export function create_client(app, target) {
},

goto: (href, opts = {}) => {
if (typeof href === 'string') {
href = new URL(href, get_base_uri(document));
Copy link
Member

@benmccann benmccann Dec 8, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there are three places we do new URL(href, get_base_uri(document)) now. is that worthy of a helper?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I only see two — where's the third?

as an aside the if (typeof href === 'string') check is arguably unnecessary, since if href (which is a badly named argument) is already a URL then it'll just be cloned harmlessly. goto isn't a hot code path so it's probably more valuable to shrink the code than to avoid the extra work

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

one is new URL(url, get_base_uri(document)), but same thing. It also has that if (typeof href === 'string') check so we could either move it into the helper or remove it. I'm fine with removing it

Copy link
Member

@Rich-Harris Rich-Harris Dec 9, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah, right. yep, have consolidated all this logic in a replacement for get_base_uri called resolve_url. much nicer, good catch

@Rich-Harris @benmccann
Update packages/kit/src/runtime/client/client.js
b8fe747 
Co-authored-by: Ben McCann <322311+benmccann@users.noreply.github.com>
@benmccann
Copy link
Member

I don't have a strong opinion on whether this or the old API is better, but I'm fine with this change. I did notice though that the issue was created due to some worry about goto being called with javascript: URLs. Do you think we need a test for that case to prevent us from ever changing the API back or is that overkill?

Anyway, that's my last comment, so feel free to merge whenever you're happy with it

@Rich-Harris Rich-Harris merged commit dab9817 into version-2 Dec 9, 2023
13 checks passed
@Rich-Harris Rich-Harris deleted the goto-external branch December 9, 2023 01:20
@Rich-Harris Rich-Harris mentioned this pull request Dec 9, 2023
Closed
@github-actions github-actions bot mentioned this pull request Dec 14, 2023
Merged
justuswilhelm added a commit to jwpconsulting/projectify that referenced this pull request Feb 22, 2024
@justuswilhelm
FE: Fix external page navigation issue
88727f0 
SvelteKit's goto(url) can't navigate to third party pages anymore (makes
sense)

sveltejs/kit#11207
justuswilhelm added a commit to jwpconsulting/projectify that referenced this pull request Feb 22, 2024
@justuswilhelm
FE: Fix external page navigation issue
09a2a2f 
SvelteKit's goto(url) can't navigate to third party pages anymore (makes
sense)

sveltejs/kit#11207
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Rich-Harris Rich-Harris Rich-Harris approved these changes

@benmccann benmccann benmccann left review comments

Assignees
No one assigned
Labels
breaking change
Projects
None yet
Milestone
2.0
Development

Successfully merging this pull request may close these issues.
4 participants
@dummdidumm @eltigerchino @benmccann @Rich-Harris