fix: remove unnecessary path validation which breaks fetch with custom path base (#15291)

closes #11078


When having a custom base path:
```js
{
  kit: {
  	paths: {
  		base: '/ui'
  	}
  }
}
```

And making a request to a different server hosted on the same domain,
`+layout.server.ts`:
```ts
export const load: LayoutServerLoad = async ({ fetch }) => {
  const workingResponse = await fetch('/ui/api'); // works if api is defined in sveltekit
  const failingResponse = await fetch('/profile'); // returns 404, instead of making request and providing cookies
}
```

Making a request to the same origin but to a different server not with
the configured `paths.base`, currently doesn't work but this should be
allowed and possible as they share the same domain name.

---

### Please don't delete this checklist! Before submitting the PR, please
make sure you do the following:
- [x] It's really useful if your PR references an issue where it is
discussed ahead of time. In many cases, features are absent for a
reason. For large changes, please create an RFC:
https://github.com/sveltejs/rfcs
- [x] This message body should clearly illustrate what problems it
solves.
- [x] Ideally, include a test that fails without this PR but passes with
it.

### Tests
- [x] Run the tests with `pnpm test` and lint the project with `pnpm
lint` and `pnpm check`

### Changesets
- [x] If your PR makes a change that should be noted in one or more
packages' changelogs, generate a changeset by running `pnpm changeset`
and following the prompts. Changesets that add features should be
`minor` and those that fix bugs should be `patch`. Please prefix
changeset messages with `feat:`, `fix:`, or `chore:`.

### Edits

- [x] Please ensure that 'Allow edits from maintainers' is checked. PRs
without this option may be closed.

---------

Co-authored-by: Tee Ming <chewteeming01@gmail.com>

Author: goulinkh

.changeset/honest-cobras-jog.md

@@ -0,0 +1,5 @@
+---
+'@sveltejs/kit': patch
+---
+
+fix: `fetch` not working when URL is same host but different than `paths.base`

packages/kit/src/runtime/server/fetch.js

@@ -55,7 +55,12 @@ export function create_fetch({ event, options, manifest, state, get_cookie_heade
 					request.headers.delete('origin');
 				}
 
-				if (url.origin !== event.url.origin) {
+				const decoded = decodeURIComponent(url.pathname);
+
+				if (
+					url.origin !== event.url.origin ||
+					(paths.base && decoded !== paths.base && !decoded.startsWith(`${paths.base}/`))
+				) {
 					// Allow cookie passthrough for "credentials: same-origin" and "credentials: include"
 					// if SvelteKit is serving my.domain.com:
 					// -        domain.com WILL NOT receive cookies
@@ -77,7 +82,6 @@ export function create_fetch({ event, options, manifest, state, get_cookie_heade
 				// handle fetch requests for static assets. e.g. prebaked data, etc.
 				// we need to support everything the browser's fetch supports
 				const prefix = paths.assets || paths.base;
-				const decoded = decodeURIComponent(url.pathname);
 				const filename = (
 					decoded.startsWith(prefix) ? decoded.slice(prefix.length) : decoded
 				).slice(1);

packages/kit/test/apps/dev-only/src/routes/request-abort/+page.svelte

@@ -11,7 +11,7 @@
 			fetch('/request-abort', { headers: { accept: 'application/json' } }).then(
 				async (r) => (result = await r.json())
 			);
-		}, 100);
+		}, 50);
 	}
 
 	onMount(test_abort);

packages/kit/test/apps/options/source/pages/+server.js

@@ -0,0 +1,3 @@
+export function GET() {
+	return new Response('root');
+}

packages/kit/test/apps/options/source/pages/fetch/link-outside-base/+page.server.js

@@ -0,0 +1,7 @@
+export async function load({ fetch }) {
+	const response = await fetch('/not-base-path/');
+	return {
+		fetchUrl: response.url,
+		fetchResponse: await response.text()
+	};
+}

packages/kit/test/apps/options/source/pages/fetch/link-outside-base/+page.svelte

@@ -0,0 +1,7 @@
+<script>
+	/** @type {import('./$types').PageProps} */
+	const { data } = $props();
+</script>
+
+<p data-testid="fetch-url">{data.fetchUrl}</p>
+<p data-testid="fetch-response">{data.fetchResponse}</p>

packages/kit/test/apps/options/source/pages/fetch/link-root/+page.server.js

@@ -0,0 +1,20 @@
+export async function load({ fetch }) {
+	// fetch to root with trailing slash
+	const response1 = await fetch('/', { redirect: 'manual' });
+	// fetch to root without trailing slash
+	const response2 = await fetch('', { redirect: 'manual' });
+	return {
+		fetches: [
+			{
+				url: response1.url,
+				response: await response1.text(),
+				redirect: response1.headers.get('location')
+			},
+			{
+				url: response2.url,
+				response: await response2.text(),
+				redirect: response2.headers.get('location')
+			}
+		]
+	};
+}

packages/kit/test/apps/options/source/pages/fetch/link-root/+page.svelte

@@ -0,0 +1,29 @@
+<script>
+	/** @type {import('./$types').PageProps} */
+	const { data } = $props();
+</script>
+
+<h2>Fetch URLs</h2>
+
+<dl>
+	{#each data.fetches as item, index}
+		<dt>fetch{index + 1}-url</dt>
+		<dd data-testid={`fetch${index + 1}-url`}>{item.url}</dd>
+	{/each}
+</dl>
+
+<h2>Fetch Responses</h2>
+<dl>
+	{#each data.fetches as item, index}
+		<dt>fetch{index + 1}-response</dt>
+		<dd data-testid="fetch{index + 1}-response">{item.response}</dd>
+	{/each}
+</dl>
+
+<h2>Fetch Redirects</h2>
+<dl>
+	{#each data.fetches as item, index}
+		<dt>fetch{index + 1}-redirect</dt>
+		<dd data-testid="fetch{index + 1}-redirect">{item.redirect}</dd>
+	{/each}
+</dl>

packages/kit/test/apps/options/source/pages/fetch/link-root/+server.js

@@ -0,0 +1,3 @@
+export function GET() {
+	return new Response('relative');
+}

packages/kit/test/apps/options/test/paths-assets.test.js

@@ -77,6 +77,34 @@ test.describe('base path', () => {
 		expect(page.url()).toBe(`${baseURL}/path-base/resolve-route/resolved/`);
 		expect(await page.textContent('h2')).toBe('resolved');
 	});
+
+	test('server load fetch without base path does not invoke the server', async ({
+		page,
+		baseURL
+	}) => {
+		await page.goto('/path-base/fetch/link-outside-base/');
+		await expect(page.locator('[data-testid="fetch-url"]')).toHaveText(`${baseURL}/not-base-path/`);
+		await expect(page.locator('[data-testid="fetch-response"]')).toContainText(
+			'did you mean to visit'
+		);
+	});
+
+	test('server load fetch to root does not invoke the server', async ({ page, baseURL }) => {
+		await page.goto('/path-base/fetch/link-root/');
+		// fetch to root with trailing slash
+		await expect(page.locator('[data-testid="fetch1-url"]')).toHaveText(`${baseURL}/`);
+		if (process.env.DEV) {
+			await expect(page.locator('[data-testid="fetch1-redirect"]')).toHaveText('/path-base');
+		} else {
+			await expect(page.locator('[data-testid="fetch1-response"]')).toContainText(
+				'did you mean to visit'
+			);
+		}
+
+		// fetch to root without trailing slash should be relative
+		await expect(page.locator('[data-testid="fetch2-url"]')).toBeEmpty();
+		await expect(page.locator('[data-testid="fetch2-response"]')).toHaveText('relative');
+	});
 });
 
 test.describe('assets path', () => {