Add a comment about a new use of the X-APOLLO-OPERATION-NAME header

apollographql · AnthonyMDev · May 5, 2022 · May 5, 2022 · May 5, 2022 · 56e4755072d18b19d1ea1188bfafe6c599444fd5
commit 56e4755072d18b19d1ea1188bfafe6c599444fd5
diff --git a/Sources/Apollo/HTTPRequest.swift b/Sources/Apollo/HTTPRequest.swift
@@ -44,6 +44,15 @@ open class HTTPRequest<Operation: GraphQLOperation> {
     self.cachePolicy = cachePolicy
 
     self.addHeader(name: "Content-Type", value: contentType)
+    // Note: in addition to this being a generally useful header to send, Apollo
+    // Server's CSRF prevention feature (introduced in AS3.7 and intended to be
+    // the default in AS4) includes this in the set of headers that indicate
+    // that a GET request couldn't have been a non-preflighted simple request
+    // and thus is safe to execute. If this project is changed to not always
+    // send this header, its GET requests may be blocked by Apollo Server with
+    // CSRF prevention enabled. See
+    // https://www.apollographql.com/docs/apollo-server/security/cors/#preventing-cross-site-request-forgery-csrf
+    // for details.
     self.addHeader(name: "X-APOLLO-OPERATION-NAME", value: self.operation.operationName)
     self.addHeader(name: "X-APOLLO-OPERATION-TYPE", value: String(describing: operation.operationType))
     if let operationID = self.operation.operationIdentifier {