SvelteKit 1.15.1 updates the is_form_content_type function call in the CSRF protection logic to include text/plain.
As additional hardening of the CSRF protection mechanism against potential method overrides, SvelteKit 1.15.1 is now performing validation on PUT, PATCH and DELETE methods as well. This latter hardening is only needed to protect users who have put in some sort of ?_method= override feature themselves in their handle hook, so that the request that resolve sees could be PUT/PATCH/DELETE when the browser issues a POST request.
The alert recommends the following actions:
Upgrade @sveltejs/kit to version 1.15.1 or later. For example:
Remediation
SvelteKit 1.15.1 updates the
is_form_content_typefunction call in the CSRF protection logic to includetext/plain.As additional hardening of the CSRF protection mechanism against potential method overrides, SvelteKit 1.15.1 is now performing validation on
PUT,PATCHandDELETEmethods as well. This latter hardening is only needed to protect users who have put in some sort of?_method=override feature themselves in theirhandlehook, so that the request thatresolvesees could bePUT/PATCH/DELETEwhen the browser issues aPOSTrequest.