Closed martinbonnin closed 8 months ago
This will mean that the default behavior of Apollo Router and Apollo Server will be to block all GET requests from Apollo Kotlin. I'd encourage you to pair this with adding apollo-require-preflight
to all GET requests.
(Previous comment was a response to the original version of the issue which has been edited. Note that this applies to Apollo Router as well as Apollo Server.)
(Previous comment was a response to the original version of the issue which has been edited. Note that this applies to Apollo Router as well as Apollo Server.)
@glasser Yup, apologies about the edits and thank you so much for surfacing this. Initial post edited to:
GET
requestsApollo-Require-Preflight
(any preference about the casing here?) for both GET
and uploads
Description
Apollo Kotlin currently sends 2 extra headers by default with each request:
X-APOLLO-OPERATION-NAME
X-APOLLO-OPERATION-ID
In order to simplify the code as well as align with other clients, we'd like to remove them.
The only usage we are aware of is to collaborate with CSRF prevention in Apollo Server and Apollo Router. This is useful under those conditions:
In those cases, Apollo Kotlin would add the
Apollo-Require-Preflight
that is more explicit about the intent of the headers.If
X-APOLLO-OPERATION-NAME
orX-APOLLO-OPERATION-ID
are still required, adding them back is as easy as:Overall, we feel this is a win for the vast majority of users and the mitigation is quite easy for the others. If you feel otherwise, please comment. Feedbacks welcome! Timeline is doing it for v4 by the end of the year.