Bug: Using Sourcegraph.com GraphQL API from other websites is broken
View options
Created by: slimsag
Problem: If you try to use https://sourcegraph.com/.api/graphql from another website, it is blocked due to CORS because we're not setting any Content-Security-Policy for responses from that URL, it defaults and is thus blocked:
Content Security Policy: The page’s settings blocked the loading of a resource at https://sourcegraph.com/.api/graphql?SearchContexts (“default-src”).
Are you ready for some history?
- Based on my memory, we have always intended for the Sourcegraph.com GraphQL API to be used as broadly and accessibly as possible - including by other websites, by unauthenticated users on https://sourcegraph.com/api/console, via the
srcCLI, and literally everywhere else. - We explicitly designed the CORS handling of the GraphQL API to only ever allow cookie-based session auth if on the same domain (in so-called "non-simple" CORS requests)
- This is closely related to this old issue I have open about removing our redundant CSRF cookies #7658 and if you're wondering "how is that secure?" see my detailed write-up here back in 2018 which is still true today - or this more brief explanation of OWASP: using custom request headers to prevent CSRF.
In short:
https://sourcegraph.com/.api/graphql should have aContent-Security-Policywhich allows requests from any origin.This should be completely safe and secure to enable, and was the original intended behavior - but obviously needs verification.