Disable ReadFormOnPost by default
Shane32 opened this issue · 0 comments
Shane32 commented
See notes for GraphQLHttpMiddlewareOptions.ReadFormOnPost
(which may be inaccurate).
See https://www.apollographql.com/blog/backend/file-uploads/file-upload-best-practices
Based on CORS spec, I actually think CORS would be triggered if cookies were sent, but I'm not sure. Assuming CORS was triggered in that scenario, it seems unlikely that there is a serious security vulnerability with parsing form data requests. Unless someone were exclusively using CORS for security, which seems like pretty weak security.