fix: cross-site post form submissions are forbidden when using load balancer in front

[KumanoTanaka]

In my use case

• end-client -(https)-> GCP load balancer -(http)-> docker containerized app using svelte-adapter-bun

key points

• gcp load balancer request to my svelte app by using http://my-domain.com url but https is set to X-Forwarded-Proto. <-- so I want to modify request's base-url on every request. (even ORIGIN === get_origin(request.headers) case).
• docker containerized app such as k8s, google-cloud cloudrun uses health check request which dose not contain x-forwarded-for header. <-- I want to ignore "ADDRESS_HEADER" check of those health-check requests

(GCP load balancer http-header forwarding rules are described here)

I think this PR will help issue #54

[dihmeetree]

Thank you for this fix. Was trying to figure this out for like 2 hours lol. Can confirm it fixes the issue 🙂

[kjell0w]

Do we have any updates on this? Will this be merged? Seems like the issue still persists

[vyconm]

Please merge this - it's the only thing holding us back from deploying it in production, due to issue #54 which If I understand correctly, is related to this :)

[notramo]

What about entirely removing the origin checking? It's an insufficient security measure, and is harmful by providing a false sense of security. Origin can be spoofed, so it doesn't protect against sophisticated attacks. An XSRF token form field is a proper solution.