Http Executor encodes headers into query parameters which can leak Authorization headers

[darren-west]

Issue workflow progress

Progress of the issue based on the
Contributor Workflow

• 1. The issue provides a reproduction available on Github, Stackblitz or CodeSandbox

  Make sure to fork this template and run yarn generate in the terminal.

  Please make sure the GraphQL Tools package versions under package.json matches yours.

• 2. A failing test has been provided
• 3. A local solution has been provided
• 4. A pull request is pending review

---

Describe the bug
When using the HttpExecutor with the GET method which is used for subscriptions over SSE headers are leaked into the query parameters which is captured by server logs.

This is avoidable by not using extensions to add the headers and using the standalone function headers() but this is easily missed.

This is currently a problem in Yoga and the way it uses GraphiQL, if you initiate a subscription it will encode any headers into the URL.

To Reproduce Steps to reproduce the behavior:

Spin up a yoga server, use the in built GraphiQL to perform a subscription and you can see the headers.

Expected behavior

Headers should not be pushed to extensions.