mirror of
https://github.com/graphql-python/graphene-django.git
synced 2024-11-29 13:03:44 +03:00
Revert to default query execution behaviour
The only security risk here is persuading a user to execute a mutation, which is probably not a big risk. To mitigate this risk and still keep the same UX (that is so valuable), would require more work than is proportionate for this PR.
This commit is contained in:
parent
cb87f40165
commit
2b08e59bea
|
@ -35,30 +35,10 @@
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// If there are any fragment parameters, confirm the user wants to use them.
|
|
||||||
var isReload = window.performance ? performance.navigation.type === 1 : false;
|
|
||||||
var isQueryTrusted = Object.keys(parameters).length === 0 || isReload;
|
|
||||||
|
|
||||||
var fetchURL = locationQuery(otherParams);
|
var fetchURL = locationQuery(otherParams);
|
||||||
|
|
||||||
// Defines a GraphQL fetcher using the fetch API.
|
// Defines a GraphQL fetcher using the fetch API.
|
||||||
function graphQLFetcher(graphQLParams) {
|
function graphQLFetcher(graphQLParams) {
|
||||||
var isIntrospectionQuery = (
|
|
||||||
graphQLParams.query !== parameters.query
|
|
||||||
&& graphQLParams.query.indexOf('IntrospectionQuery') !== -1
|
|
||||||
);
|
|
||||||
|
|
||||||
if (!isQueryTrusted
|
|
||||||
&& !isIntrospectionQuery
|
|
||||||
&& !window.confirm("This query was loaded from a link, are you sure you want to execute it?")) {
|
|
||||||
return Promise.resolve('Aborting query.');
|
|
||||||
}
|
|
||||||
|
|
||||||
// We don't want to set this for the introspection query
|
|
||||||
if (!isIntrospectionQuery) {
|
|
||||||
isQueryTrusted = true;
|
|
||||||
}
|
|
||||||
|
|
||||||
var headers = {
|
var headers = {
|
||||||
'Accept': 'application/json',
|
'Accept': 'application/json',
|
||||||
'Content-Type': 'application/json'
|
'Content-Type': 'application/json'
|
||||||
|
|
Loading…
Reference in New Issue
Block a user