feat: validate values for cache-control and content-type headers in dev mode

[JR-G]

Fix for #12784

Adds validation for common HTTP headers in dev mode to help catch invalid values early:

• Validates cache-control directives against standard values
• Validates content-type format
• Only active in dev mode

run pnpm dev from test/apps/basics and navigate to http://localhost:5173/headers/invalid. In your console you'll see:

[SvelteKit] Invalid cache-control directive "totally-invalid". Did you mean one of: max-age, public, private, no-cache, no-store, must-revalidate, proxy-revalidate, s-maxage, immutable, stale-while-revalidate, stale-if-error, no-transform, only-if-cached, max-stale, min-fresh
[SvelteKit] Invalid content-type value "not-a-real-type"

---

Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

• It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
• This message body should clearly illustrate what problems it solves.
• Ideally, include a test that fails without this PR but passes with it.

Tests

• Run the tests with pnpm test and lint the project with pnpm lint and pnpm check

Changesets

• If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running pnpm changeset and following the prompts. Changesets that add features should be minor and those that fix bugs should be patch. Please prefix changeset messages with feat:, fix:, or chore:.

Edits

• Please ensure that 'Allow edits from maintainers' is checked. PRs without this option may be closed.

[changeset-bot]

🦋 Changeset detected

Latest commit: 15d9f74

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@sveltejs/kit	Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[Rich-Harris]

preview: https://svelte-dev-git-preview-kit-13114-svelte.vercel.app/

this is an automated message

[elliott-with-the-longest-name-on-github]

Suggested change

	.map((directive) => directive.trim().split('=')[0].toLowerCase());
	.map((directive) => directive.trim().split('=').at(0)?.toLowerCase());

Is it possible for the string to end up with an empty entry after splitting on ','? Like cache-control: stale-while-revalidate,,no-transform or something? Obviously that's still wrong, but hopefully we'd catch that and show an error, not throw a hard-to-debug runtime error 🤔

[JR-G]

This was a good point! I've introduced an additional check to catch the empty directives.

[elliott-with-the-longest-name-on-github]

Same thing here, I think you can add a global declaration to the top and avoid using globalThis here.

[JR-G]

I found success in the other declarations, but I didn't have much luck silencing it here, despite trying a couple of things 🤔.

[elliott-with-the-longest-name-on-github]

Suggested change

	/^(application|audio|font|image|model|text|video|x-[a-z]+)\/[-+.\w]+$/i;
	/^(application|audio|font|image|model|text|video|x-[a-z]+)\/[-+.\w]+$/i;

The IANA spec defines the following top-level types, some of which are not included here:

• application
• audio
• example
• font
• haptics
• image
• message
• model
• multipart
• text
• video

[JR-G]

Thanks! Updated to reflect this.

[elliott-with-the-longest-name-on-github]

You can move this to the test-dev-only package -- that package only runs dev tests, which means you don't need to fake the globalThis.__SVELTEKIT_DEV__ thing.

[JR-G]

Shifted!

[elliott-with-the-longest-name-on-github]

Thanks @JR-G! I pushed a commit with a few improvements to the tests (mainly just simplifying setup) and some additional information in the error messages. Great PR. Merging as soon as CI passes :)