From 5f0089f990260463042b5c2f98f41a3aebafc620 Mon Sep 17 00:00:00 2001
From: Matchu <matchu1993@gmail.com>
Date: Thu, 27 May 2021 16:41:52 -0700
Subject: [PATCH] Access-Control-Allow-Origin: * for GraphQL

Someone asked to use the DTI API for a small client-side project, so I'm making this change to support it!

As explained in the comment, I think this should be safe regarding CSRF attacks. But it _does_ increase the risk that someday we change something elsewhere that creates a problem, like using cookies to authorize something. So, let's remember to be careful! (as I would hope we would be when adding another auth mechanism!)
---
 api/graphql.js | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/api/graphql.js b/api/graphql.js
index 1a08d41..07a8b23 100644
--- a/api/graphql.js
+++ b/api/graphql.js
@@ -48,6 +48,14 @@ function deterministicSampler(traceId, sampleRate) {
 }
 
 async function handle(req, res) {
+  // CAREFUL! We here allow any website to use our GraphQL API, so our data can
+  // be more useful to the public. Using the * wildcard means that, in modern
+  // browsers, requests should be sent without credentials. Additionally, we
+  // don't store credentials in cookies; the client is responsible for setting
+  // an Authorization header. So, I don't think there's any CSRF danger here.
+  // But, let's be careful and make sure this continues to be true!
+  res.setHeader("Access-Control-Allow-Origin", "*");
+
   await serverHandler(req, res);
 
   // As a sneaky trick, we require the Honeycomb trace to finish before the