Revert to default query execution behaviour

The only security risk here is persuading a user to execute a mutation,
which is probably not a big risk. To mitigate this risk and still keep
the same UX (that is so valuable), would require more work than is
proportionate for this PR.
This commit is contained in:
Dan Palmer 2018-09-09 21:44:30 +01:00
parent cb87f40165
commit 2b08e59bea
No known key found for this signature in database
GPG Key ID: DD869B28A1B7AA92

View File

@ -35,30 +35,10 @@
} }
} }
// If there are any fragment parameters, confirm the user wants to use them.
var isReload = window.performance ? performance.navigation.type === 1 : false;
var isQueryTrusted = Object.keys(parameters).length === 0 || isReload;
var fetchURL = locationQuery(otherParams); var fetchURL = locationQuery(otherParams);
// Defines a GraphQL fetcher using the fetch API. // Defines a GraphQL fetcher using the fetch API.
function graphQLFetcher(graphQLParams) { function graphQLFetcher(graphQLParams) {
var isIntrospectionQuery = (
graphQLParams.query !== parameters.query
&& graphQLParams.query.indexOf('IntrospectionQuery') !== -1
);
if (!isQueryTrusted
&& !isIntrospectionQuery
&& !window.confirm("This query was loaded from a link, are you sure you want to execute it?")) {
return Promise.resolve('Aborting query.');
}
// We don't want to set this for the introspection query
if (!isIntrospectionQuery) {
isQueryTrusted = true;
}
var headers = { var headers = {
'Accept': 'application/json', 'Accept': 'application/json',
'Content-Type': 'application/json' 'Content-Type': 'application/json'