The file uploads feature (for flask, at least) was introduced with #712. I also see that there is a File Uploads doc page which references an unofficial graphql multipart request spec.

The reason I'm opening this issue is because discovering that the endpoint accepts form submissions by default came as a shock to me. Form submissions are not subject to CORS protections, and therefore need CSRF protection to provide adequate security. With such generalized read functionality on a single POST-based graphql endpoint, it can make sense to not include CSRF protections on graphql requests.

If you can rely on CORS protections, it's possible to save a round trip on initial page load. For example, with CSRF you'd need an empty round trip just to set the CSRF token so that the next request for data (that would actually hydrate the page) has one set.

Just generally speaking, the pattern for file uploads we use within our application is to provide a short-lived presigned S3 upload link that the client can directly engage with and upload to an otherwise-private S3 bucket. Then graphql request includes a reference to that uploaded data, and the backend can then transfer/handle it internally. This pattern gives nicer properties around the actual upload process while completely avoiding forms within the graphql endpoint.

The ideal outcome for me would be making this functionality opt-in, and disabled by default.