Add a security section warning about CSRF

[glasser]

Adding a multipart/form-data parser to a server that previously only parsed application/json POSTs increases its vulnerability to CSRF attacks, because multipart/form-data is special-cased by browser security rules. Anyone implementing this protocol should be aware of this.

[glasser]

I think this text also belongs in other libraries such as graphql-upload but let's start by being happy with it in one place.

[spawnia]

Good writeup. It makes sense, is precise, concise, and helpful.

[jaydenseric]

Thank you @glasser for the concern and effort you have put into raising awareness about GraphQL server authentication and security mechanisms that can be used to thwart CSRF attacks via requests with a Content-Type of multipart/form-data.

In 9322085 I added a “Security” section that clarifies that GraphQL server authentication and security mechanisms are beyond the scope of this specification, which only covers a multipart form field structure for GraphQL requests.

I did however add this note:

Note that a GraphQL multipart request has the Content-Type multipart/form-data; if a browser making such a request determines it meets the criteria for a “simple request” as defined in the Fetch specification for the Cross-Origin Resource Sharing (CORS) protocol, it won’t cause a CORS preflight request. GraphQL server authentication and security mechanisms must consider this to prevent Cross-Site Request Forgery (CSRF) attacks.

I'm comfortable highlighting an unintuitive browser behavior as a favour to the community to increase awareness (even if it is out of scope for this spec), but I'm not a security subject matter expert and as such am not comfortable about providing specific advice to people about whether or not their particular server setup is affected, or attempting to prescribe particular authentication and security mechanisms tailored to different kinds of setups. Even if I was an expert, getting the wording just right and explaining everything in adequate detail is a cognitive burden I simply don't have the time to produce and maintain right now.

There certainly is room out there for more detailed articles and blog posts on the topic, but note that multipart requests are used for all sorts of APIs out there, not just GraphQL file uploads, and a lot of that advice could be general to any API server that has an endpoint accepting multipart requests.