-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Should we explicitly support Content-Type: application/graphql
?
#249
Comments
I share Benjies opinion, an extra content-type that'd have a questionable approach to defining variables (and even not an optimal one due to URL size limits) would be a maintenance burden IMHO. I think the spec should recommend the most ideal of approaches and be kept simple and concise. |
Is this approach actually used significantly? I tried to search GitHub for mentions in issues with the following query: https://github.com/search?q=%22application%2Fgraphql%22&type=issues. I found it hard to make sense of the result. A couple of issues seem to request or mention the usage of |
I agree (i.e. don't require support), although considering that existing servers (including GraphQL.NET Server) support
Here are some additional comments regarding
|
When we decided to remove The spec allows for |
I think I agree that it shouldn't be specified, having multiple ways of doing things in the spec will lead to fragmentation in preferred implementations. |
Great; seems like consensus. I’m going to leave this open as an opportunity for someone to add the appendix on “historical approaches” or whatever. When doing so you may wish to note the application/x-www-form-urlencoded and multipart/form-data approaches have also both been used in the past by various clients/servers, but that they have security implications (see @glasser’s writings on this subject) and therefore they are NOT RECOMMENDED. |
|
This seems like a tangent on this issue, but: it seems unlikely that anyone (or at least anyone who uses cookies) will implement it the |
Indeed, I didn't say they couldn't be implemented securely, just that they have security implications - I don't think it's worth our effort to dedicate resources to addressing these in the GraphQL-over-HTTP spec when the graphql-multipart-request-spec already exists to address those concerns. Perhaps calling the appendix "Other content types" would be wise, and it can link out to spec(s) but make it clear it's not an endorsement (since the working group probably doesn't have sufficient resource to vet it). |
I'm happy with the consensus on this issue for the same reason as everyone else - not specifying multiple ways to do things in a spec. To the question from @spawnia :
I remember about 3 years ago being in a graphql-wg meeting when that question came up and someone (I think @eapache Evan from Shopify but I'm not sure) said that based on their logs from all the many clients that hit their public endpoint about half of the transactions used I've tried just now to search the web for the meeting notes that would have the actual number and see whether it confirms my memory or not --- but I haven't found it. Maybe @benjie has a better way to search the meeting notes. |
This rings a vague bell for me, but I don’t remember concretely, and I’m unfortunately no longer at Shopify to check. I believe @swalkinshaw or @rebeccajfriedman can probably confirm this though? |
Here's the notes: https://github.com/graphql/graphql-wg/blob/main/notes/2020/2020-04-02.md#applicationgraphql-media-type-status-10m-benjie I think the relevant part of the recording starts around here: |
Shopify had some simple "getting started" examples from ~2017 to 2019 that used Now we see >99% of requests using |
Reviewing https://github.com/graphql/graphql.github.io/pull/1394/files I noticed that servers were recommended to accept
application/graphql
where the POST body would be a raw (text) GraphQL document - indeed PostGraphile has always supported this. It doesn't actually detail handling variables in this case, which is why I excluded it from the spec, but we could handle them via query parameters in the same way as we do for GET.Question: should we explicitly include this in the spec. The
BestPractice-ServingOverHTTP.md
page "recommends" it, so if we did add it, it would be a SHOULD (not a MUST).I'm personally of the opinion that we should just use the JSON encoding and not add
Content-Type: application/graphql
support (servers MAY still support it, but that's their choice) - I don't think it's a good idea to add too many different ways to do the same thing, it complicates compatibility for everyone. But I feel it warrants a discussion none the less.Thoughts, @abernix @balshor @benjie @deinok @ErikWittern @jaydenseric @michaelstaib @mike-marcacci @mmatsa @Shane32 @sjparsons @spawnia @sungam3r @Touchstone117 @enisdenjo @JoviDeCroock ?
The text was updated successfully, but these errors were encountered: