[2023-11] Add notes about security to GraphQL-over-HTTP spec about graphql-over-http HOT 11 OPEN

I'm all for adding important security notes or references when appropriate to the spec as a note.

As it particularly relates to multipart/form-data, we should be sure not to strictly prevent it. As others have noted, bypassing CORS isn't necessarily a security risk, and changes could be made to require a preflight request and CORS validation while still using multipart/form-data.

from graphql-over-http.

@martinbonnin and/or @glasser would you care to elaborate your concerns and/or submit non-normative notes to the GraphQL-over-HTTP spec regarding this. I'm happy to do editorial on them if you only have time for rough notes, I just want to ensure I'm capturing the important parts.

from graphql-over-http.

Thanks for following up on this!

I'll defer to @glasser for the details but my high level understanding is that some conditions make GraphQL requests more prone to CSRF issues like the ones described in this blog post:

1. POSTs with a multipart/form-data content-type (which can be accepted by some middleware such as file uploads) could modify state bypassing CORS because multipart/form-data doesn't require a preflight request.
2. GETs could be used for timing attacks, which are effectively the same concern as with any REST API but GraphQL make them a bit easier because of the dynamic nature of the query making it harder for the backend to reply in constant time.

For 1., might be worth requiring a content-type around here?
For 2. maybe a "security" section towards the end of the document?

from graphql-over-http.

Moving this to the GraphQL-over-HTTP WG

from graphql-over-http.