Skip to content

GraphQL API doesn't accept `Origin: null` header

Discovered in gitlab-figma-plugin#79 (closed),

In some contexts (like some iFrames, as is the case with our Figma plugin: https://www.figma.com/plugin-docs/making-network-requests/), the origin header is set to none at the browser level. In this case, our GraphQL responds with:

{"errors":[{"message":"Internal server error: The browser returned a 'null' origin for a request with origin-based forgery protection turned on. This usually\nmeans you have the 'no-referrer' Referrer-Policy header enabled, or that the request came from a site that\nrefused to give its origin. This makes it impossible for Rails to verify the source of the requests. Likely the\nbest solution is to change your referrer policy to something less strict like same-origin or strict-origin.\nIf you cannot change the referrer policy, you can disable origin checking with the\nRails.application.config.action_controller.forgery_protection_origin_check setting.\n"}]}

Source: https://github.com/rails/rails/blob/main/actionpack/lib/action_controller/metal/request_forgery_protection.rb#L498

The REST API is not affected by this. In other words, setting origin: null on both GET and POST requests to the REST API doesn't appear to affect the request.

Reproduction steps

The following request works as expected:

GRAPHQL_TOKEN=<redacted>
curl "https://gitlab.com/api/graphql" --header "Authorization: Bearer $GRAPHQL_TOKEN" \
     --header "Content-Type: application/json" --request POST \
     --data "{\"query\": \"query {currentUser {name}}\"}"

Now, we add origin: null header. The request fails:

GRAPHQL_TOKEN=<redacted>
curl "https://gitlab.com/api/graphql" --header "Authorization: Bearer $GRAPHQL_TOKEN" \
     --header "Content-Type: application/json" --header "Origin: null" --request POST \
     --data "{\"query\": \"query {currentUser {name}}\"}"

The request fails with the following response:

{"errors":[{"message":"Internal server error"}]}

Note that both of the above requests are POST requests (as they should be). Out of curiosity I tried GET using the query query parameter, and got a successful response:

GRAPHQL_TOKEN=<redacted>
curl "https://gitlab.com/api/graphql?query=\{currentUser\{name\}\}" --header "Authorization: Bearer $GRAPHQL_TOKEN" \
     --header "Content-Type: application/json" --header "Origin: null" --request GET

Possible approach

@alexkalderimis suggested in gitlab-figma-plugin#79 (comment 733895770):

... Since GraphQL is used with session authentication in GraphiQL (iirc), doesn't that mean we need CSRF protection here?

Maybe we want two GQL endpoints, one for session based auth (webapp, GraphiQL) the other for sessionless auth (external API usage)?