sveltejs · benmccann · Jul 7, 2021 · Jul 7, 2021 · Jul 7, 2021 · Jul 7, 2021
diff --git a/.changeset/silly-grapes-cover.md b/.changeset/silly-grapes-cover.md
@@ -0,0 +1,5 @@
+---
+'@sveltejs/kit': patch
+---
+
+Enable Vite's server.fs.strict by default
diff --git a/documentation/faq/90-fs-strict.md b/documentation/faq/90-fs-strict.md
@@ -0,0 +1,10 @@
+---
+question: "Internal server error: The request url [...] is outside of Vite serving allow list"
+---
+
+For security reasons, Vite has been configured to only allow filesystem access when the request file fulfils one of these requirements:
+- Within workspace root
+- Within the listed `server.fs.allow` exceptions
+- Part of the dependency graph of your application code
+
+Refer to Vite documentation for [`server.fs.allow`](https://vitejs.dev/config/#server-fs-allow) for configuration and more details.
diff --git a/packages/kit/src/core/build/index.js b/packages/kit/src/core/build/index.js
@@ -134,8 +134,19 @@ async function build_client({
 	/** @type {any} */
 	const user_config = config.kit.vite();
 
+	const default_config = {
+		server: {
+			fs: {
+				strict: true
+			}
+		}
+	};
+
+	// don't warn on overriding defaults
+	const [modified_user_config] = deep_merge(default_config, user_config);
+
 	/** @type {[any, string[]]} */
-	const [merged_config, conflicts] = deep_merge(user_config, {
+	const [merged_config, conflicts] = deep_merge(modified_user_config, {
 		configFile: false,
 		root: cwd,
 		base,
@@ -408,8 +419,19 @@ async function build_server(
 	/** @type {any} */
 	const user_config = config.kit.vite();
 
+	const default_config = {
+		server: {
+			fs: {
+				strict: true
+			}
+		}
+	};
+
+	// don't warn on overriding defaults
+	const [modified_user_config] = deep_merge(default_config, user_config);
+
 	/** @type {[any, string[]]} */
-	const [merged_config, conflicts] = deep_merge(user_config, {
+	const [merged_config, conflicts] = deep_merge(modified_user_config, {
 		configFile: false,
 		root: cwd,
 		base,
@@ -515,8 +537,19 @@ async function build_service_worker(
 	/** @type {any} */
 	const user_config = config.kit.vite();
 
+	const default_config = {
+		server: {
+			fs: {
+				strict: true
+			}
+		}
+	};
+
+	// don't warn on overriding defaults
+	const [modified_user_config] = deep_merge(default_config, user_config);
+
 	/** @type {[any, string[]]} */
-	const [merged_config, conflicts] = deep_merge(user_config, {
+	const [merged_config, conflicts] = deep_merge(modified_user_config, {
 		configFile: false,
 		root: cwd,
 		base,

diff --git a/packages/kit/src/core/dev/index.js b/packages/kit/src/core/dev/index.js
@@ -82,15 +82,26 @@ class Watcher extends EventEmitter {
 		/** @type {any} */
 		const user_config = (this.config.kit.vite && this.config.kit.vite()) || {};
 
+		const default_config = {
+			server: {
+				fs: {
+					strict: true
+				}
+			}
+		};
+
 		/** @type {(req: import("http").IncomingMessage, res: import("http").ServerResponse) => void} */
 		let handler = (req, res) => {};
 
 		this.server = await get_server(this.https, user_config, (req, res) => handler(req, res));
 
 		const alias = user_config.resolve && user_config.resolve.alias;
 
+		// don't warn on overriding defaults
+		const [modified_user_config] = deep_merge(default_config, user_config);
+
 		/** @type {[any, string[]]} */
-		const [merged_config, conflicts] = deep_merge(user_config, {
+		const [merged_config, conflicts] = deep_merge(modified_user_config, {
 			configFile: false,
 			root: this.cwd,
 			resolve: {