Compare projects
Project comparisons allow you to view any selection of projects side by side just like they're shown on regular categories or in search results. You can try out an example or start yourself by adding a library to the comparison via the input below. You can also easily share your current comparison with others by sending the URL of the current page.
0.0
The middleware makes sure any request to specified paths would have been
preflighted if it was sent by a browser.
We don't want random websites to be able to execute actual GraphQL
operations from a user's browser unless our CORS policy supports it. It's
not good enough just to ensure that the browser can't read the response from
the operation; we also want to prevent CSRF, where the attacker can cause
side effects with an operation or can measure the timing of a read
operation. Our goal is to ensure that we don't run the context function or
execute the GraphQL operation until the browser has evaluated the CORS
policy, which means we want all operations to be pre-flighted. We can do
that by only processing operations that have at least one header set that
appears to be manually set by the JS code rather than by the browser
automatically.
POST requests generally have a content-type `application/json`, which is
sufficient to trigger preflighting. So we take extra care with requests that
specify no content-type or that specify one of the three non-preflighted
content types. For those operations, we require one of a set of specific
headers to be set. By ensuring that every operation either has a custom
content-type or sets one of these headers, we know we won't execute
operations at the request of origins who our CORS policy will block.
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
Activity