Sync kit docs (#1496)

sync kit docs

Co-authored-by: svelte-docs-bot[bot] <196124396+svelte-docs-bot[bot]@users.noreply.github.com>

Author: github-actions[bot]

apps/svelte.dev/content/docs/kit/98-reference/50-configuration.md

@@ -264,6 +264,30 @@ Whether to check the incoming `origin` header for `POST`, `PUT`, `PATCH`, or `DE
 
 To allow people to make `POST`, `PUT`, `PATCH`, or `DELETE` requests with a `Content-Type` of `application/x-www-form-urlencoded`, `multipart/form-data`, or `text/plain` to your app from other origins, you will need to disable this option. Be careful!
 
+</div>
+</div>
+<div class="ts-block-property">
+
+```ts
+// @noErrors
+trustedOrigins?: string[];
+```
+
+<div class="ts-block-property-details">
+
+<div class="ts-block-property-bullets">
+
+- <span class="tag">default</span> `[]`
+
+</div>
+
+An array of origins that are allowed to make cross-origin form submissions to your app, even when `checkOrigin` is `true`.
+
+Each origin should be a complete origin including protocol (e.g., `https://payment-gateway.com`).
+This is useful for allowing trusted third-party services like payment gateways or authentication providers to submit forms to your app.
+
+**Warning**: Only add origins you completely trust, as this bypasses CSRF protection for those origins.
+
 </div>
 </div>