From d9244d6f3cef8d6d7cba9b00fce2b25621742616 Mon Sep 17 00:00:00 2001 From: Fuwn Date: Thu, 21 May 2026 13:44:59 +0000 Subject: fix(settings): send JSON Content-Type on configuration PUTs fetch() defaults a string body to text/plain, which SvelteKit's csrf_check_origin treats as a form submission. Behind portless's HTTPS-to-HTTP dev proxy the Origin scheme mismatches url.origin and the requests 403'd. Declaring application/json is correct for the body and bypasses the form-content-type check. --- src/lib/CommandPalette/syncActions.ts | 1 + src/lib/Settings/Categories/SettingSync.svelte | 2 ++ 2 files changed, 3 insertions(+) (limited to 'src/lib') diff --git a/src/lib/CommandPalette/syncActions.ts b/src/lib/CommandPalette/syncActions.ts index 49859221..90c6a931 100644 --- a/src/lib/CommandPalette/syncActions.ts +++ b/src/lib/CommandPalette/syncActions.ts @@ -24,6 +24,7 @@ export const syncActions = ( fetch(root(`/api/configuration`), { method: "PUT", + headers: { "Content-Type": "application/json" }, body: JSON.stringify(get(settings)), }) .then((response) => { diff --git a/src/lib/Settings/Categories/SettingSync.svelte b/src/lib/Settings/Categories/SettingSync.svelte index 0cfe9261..867b2b47 100644 --- a/src/lib/Settings/Categories/SettingSync.svelte +++ b/src/lib/Settings/Categories/SettingSync.svelte @@ -29,6 +29,7 @@ import settingsSyncTimes from "$stores/settingsSyncTimes"; } else { fetch(root(`/api/configuration`), { method: 'PUT', + headers: { 'Content-Type': 'application/json' }, body: JSON.stringify($settings) }).then((response) => { if (response.ok) @@ -56,6 +57,7 @@ import settingsSyncTimes from "$stores/settingsSyncTimes"; fetch(root(`/api/configuration`), { method: 'PUT', + headers: { 'Content-Type': 'application/json' }, body: JSON.stringify($settings) }).then((response) => { if (response.ok) -- cgit v1.2.3