Comments (11)
I'm all for adding important security notes or references when appropriate to the spec as a note.
As it particularly relates to multipart/form-data
, we should be sure not to strictly prevent it. As others have noted, bypassing CORS isn't necessarily a security risk, and changes could be made to require a preflight request and CORS validation while still using multipart/form-data
.
from graphql-over-http.
@martinbonnin and/or @glasser would you care to elaborate your concerns and/or submit non-normative notes to the GraphQL-over-HTTP spec regarding this. I'm happy to do editorial on them if you only have time for rough notes, I just want to ensure I'm capturing the important parts.
from graphql-over-http.
Thanks for following up on this!
I'll defer to @glasser for the details but my high level understanding is that some conditions make GraphQL requests more prone to CSRF issues like the ones described in this blog post:
- POSTs with a
multipart/form-data
content-type (which can be accepted by some middleware such as file uploads) could modify state bypassing CORS becausemultipart/form-data
doesn't require a preflight request. - GETs could be used for timing attacks, which are effectively the same concern as with any REST API but GraphQL make them a bit easier because of the dynamic nature of the query making it harder for the backend to reply in constant time.
For 1., might be worth requiring a content-type around here?
For 2. maybe a "security" section towards the end of the document?
from graphql-over-http.
Moving this to the GraphQL-over-HTTP WG
from graphql-over-http.
Related Issues (20)
- [2022-06-27] Copy over relevant issue labels from main spec repo HOT 2
- [2022-06-27] Schedule a meeting after the July spec WG
- Spec references RFC7231 which is obsoleted HOT 4
- Response status code as `application/json` content HOT 5
- Clarify the use of HTTP GET and POST request HOT 2
- Status codes for unauthenticated OAuth errors HOT 1
- Optional query discussion HOT 13
- GraphQL request optional parameters HOT 2
- Kitchen sink HTTP requests HOT 3
- Allow non-UTF-8 encodings HOT 2
- What is well-formed response HOT 3
- Status codes 404 and 410 HOT 1
- Clarification for `Accept: */*` HOT 8
- Should we explicitly support `Content-Type: application/graphql`? HOT 13
- Should the query property really be required? HOT 1
- Make it clear that extra keys in the request/response payloads are not allowed HOT 2
- [2023-10] Add changes promoting spec to RFC 2 status
- [2023-10] Add RFC2 status to next GraphQL Spec WG HOT 1
- Create the "Action Item" issue template
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from graphql-over-http.