New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CORS default configuration #40
Comments
Hmm yeah this definitely encourages security holes. I understand it was the default on gateway but that seems like something to fix, not to keep. I did not review @o0Ignition0o's code after he changed it because I did not expect he would pick There is a third solution: requiring the user to specify To summarize:
I don't think option 2 is acceptable at all but feel free to challenge me. |
Agree 100%. The absence of config should be secure by default. Would vote for 1 with the our example config explicitly configured for studio. |
I vote for 1 as well (it was what I went with intuitively) |
Followup to our last huddle discussion: It looks like we're trying to place ourselves on a tradeoff between hardening (security) and ease of (first) use / integration. Here are the knobs we can act on: Configuration and defaults:
Runtime behavior:
Given we would like people to be able to explore the router functionality in a seamless manner, yet eventually prevent unsecure settings in production, we are currently leaning into:
Did I forget anything? |
Assuming the above is implemented. |
|
this looks like something that should be fixed in graphql-playground, not the router |
linking to #127 , that provides insights on nice headers to add to the defaults! |
As discussed, we want Both are configurable by yaml regardless |
Fixes :#40 The Router now allows only the `https://studio.apollographql.com` origin by default, instead of any origin.
Fixes :#40 The Router now allows only the `https://studio.apollographql.com` origin by default, instead of any origin.
Fixes :#40 The Router now allows only the `https://studio.apollographql.com` origin by default, instead of any origin.
Update to GA release Bump node-fetch from 2.6.0 to 2.6.1 (#40) Bumps [node-fetch](https://github.com/bitinn/node-fetch) from 2.6.0 to 2.6.1. - [Release notes](https://github.com/bitinn/node-fetch/releases) - [Changelog](https://github.com/node-fetch/node-fetch/blob/master/docs/CHANGELOG.md) - [Commits](node-fetch/node-fetch@v2.6.0...v2.6.1) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Add operation name to subqueries
Followup to the previous work on 5b36237
Comments on the introspection efforts raised the fact we're not quite aligned on what we would like the cors default setting to be, and what we would like to customize it wit.
[Allow any origin might ease use and setup but it might not be considered as the safe default option
Let's write our expected CORS behavior down, so I can add unit tests. We can of course revisit it anytime
The text was updated successfully, but these errors were encountered: