Describe the bug
Background
SvelteKit periodically polls for a json file containing version information:
|
const res = await fetch(`${assets}/${__SVELTEKIT_APP_VERSION_FILE__}`, { |
|
headers: { |
|
pragma: 'no-cache', |
|
'cache-control': 'no-cache' |
|
} |
|
}); |
In addition to the standard
'cache-control': 'no-cache' header, the implementation also sets the now deprecated
HTTP/1.0 'pragma': 'no-cache' header (presumably just in case to also support ancient servers?)
Issue
In certain configurations, usage of this Pragma header prevents the request from succeeding.
When the entrypoint (index.html) of a SvelteKit built SPA is hosted on a different domain than the javascript assets, only requests exclusively using CORS safe listed headers can be made without a passing CORS preflight response.
Since Pragma (as opposed to cache-control) is not safe listed, the preflight response has to include a valid Access-Control-Allow-Origin header.
However, since most CDNs don't set this header by default on static assets (and some CDNs might not allow setting it even with additional configuration) the CORS preflight will fail & the browser will refuse to retrieve the version json, breaking the check functionality entirely.
Suggested Fix
Since the Pragma header is obsolete since 1999 and has since been deprecated, not setting it might be a better default.
MDN also suggests avoiding it:
Deprecated: This feature is no longer recommended. Though some browsers might still support it, it may have already been removed from the relevant web standards, may be in the process of being dropped, or may only be kept for compatibility purposes. Avoid using it, and update existing code if possible;
Since this might even break some setups it would technically be a breaking change, so 3.0 might be a good chance for removing it
Describe the bug
Background
SvelteKit periodically polls for a json file containing version information:
kit/packages/kit/src/runtime/client/utils.js
Lines 271 to 276 in 63285ee
In addition to the standard
'cache-control': 'no-cache'header, the implementation also sets the now deprecatedHTTP/1.0'pragma': 'no-cache'header (presumably just in case to also support ancient servers?)Issue
In certain configurations, usage of this
Pragmaheader prevents the request from succeeding.When the entrypoint (
index.html) of a SvelteKit built SPA is hosted on a different domain than the javascript assets, only requests exclusively using CORS safe listed headers can be made without a passing CORS preflight response.Since
Pragma(as opposed tocache-control) is not safe listed, the preflight response has to include a validAccess-Control-Allow-Originheader.However, since most CDNs don't set this header by default on static assets (and some CDNs might not allow setting it even with additional configuration) the CORS preflight will fail & the browser will refuse to retrieve the version json, breaking the
checkfunctionality entirely.Suggested Fix
Since the
Pragmaheader is obsolete since 1999 and has since been deprecated, not setting it might be a better default.MDN also suggests avoiding it:
Since this might even break some setups it would technically be a breaking change, so 3.0 might be a good chance for removing it