Closed mathjazz closed 3 years ago
Comment Author: @mathjazz
Yesss!
Comment Author: @jotes
brilliant!
Comment Author: @stasm
I love the enthusiasm :) Adrian, can you advise what the best way to proceed here is? I suspect we will need a security sign-off for GraphiQL.
Here's the GraphiQL repo:
https://github.com/graphql/graphiql/
And the template used by graphene-django:
https://github.com/graphql-python/graphene-django/blob/master/graphene_django/templates/graphene/graphiql.html
Comment Author: @Pike
I guess one point is to harden CSP and CSRF. CSRF seems to be somewhat dealt with in the template, why did we end up disabling it completely?
Also, https://github.com/ctrlplusb/react-universally/issues/253 has some interesting ramblings on CSP, http://django-csp.readthedocs.io/en/latest/decorators.html#csp-update might be helpful.
Comment Author: @adngdb
I'm not too much of a security expert. The way I see it, GraphiQL doesn't allow users to do anything more than what the API allows. This means that, if our API is secure, so should be any usage of graphiql. It is merely a tool that would make it easier for attackers to find out flaws in the API, but that shouldn't be a blocking factor.
However, I do not know if the front-end has been reviewed for security. It is a bit of external code that will be executed on a domain where people have cookies and sessions, and permissions, and stuff. So there might be some risks. I would be in favor of asking the security team for opinions and/or a review of graphiql and its graphene implementation.
One thing I've notived in that graphene template that I don't like is the usage of a CDN. I generally dislike them, as I consider them external sources of failure and they can be used to track our users. However, that is a personal opinion and Mozilla's policy on CDNs might be different.
Hope that helps! Having graphiql on prod would indeed be super useful, it makes using the API so much easier.
Comment Author: @stasm
Thanks, Adrian. I'll reach out to the security team.
FWIW, GitHub deployed GraphiQL at https://developer.github.com/v4/explorer/
Comment Author: @stasm
Actually, they deployed it at https://graphql-explorer.githubapp.com which is then embedded as an iframe at https://developer.github.com/v4/explorer.
This issue was created automatically with bugzilla2github.
Bug 1407192
Bug Reporter: @stasm CC: @adngdb, @mathjazz, @jotes Blocker for: Bug 1395273
The GraphiQL IDE is currently only available at /graphql in local deployments. Let's use this bug to track what's needed to enable it on production.