Access-Control-Allow-Origin: * for GraphQL
Someone asked to use the DTI API for a small client-side project, so I'm making this change to support it! As explained in the comment, I think this should be safe regarding CSRF attacks. But it _does_ increase the risk that someday we change something elsewhere that creates a problem, like using cookies to authorize something. So, let's remember to be careful! (as I would hope we would be when adding another auth mechanism!)
This commit is contained in:
parent
abc322c24d
commit
5f0089f990
1 changed files with 8 additions and 0 deletions
|
@ -48,6 +48,14 @@ function deterministicSampler(traceId, sampleRate) {
|
|||
}
|
||||
|
||||
async function handle(req, res) {
|
||||
// CAREFUL! We here allow any website to use our GraphQL API, so our data can
|
||||
// be more useful to the public. Using the * wildcard means that, in modern
|
||||
// browsers, requests should be sent without credentials. Additionally, we
|
||||
// don't store credentials in cookies; the client is responsible for setting
|
||||
// an Authorization header. So, I don't think there's any CSRF danger here.
|
||||
// But, let's be careful and make sure this continues to be true!
|
||||
res.setHeader("Access-Control-Allow-Origin", "*");
|
||||
|
||||
await serverHandler(req, res);
|
||||
|
||||
// As a sneaky trick, we require the Honeycomb trace to finish before the
|
||||
|
|
Loading…
Reference in a new issue