Why is it allowed to send mutations using GET method?

[ktutnik]

First, thank you for the hard work to make such a great library :kudos

So I see from the example and found that mutation can be requested using GET method:

https://github.com/graphql-go/graphql/blob/f02a1c961028d3ba7ac6bb22eaa09b31a2cb53dd/examples/crud/main.go#L136-L139

and look like that is by design. See line 68 below tries to get the query from query string. And I can't find a way to disable the GET method.

handler/handler.go

Lines 67 to 78 in f96ffdd

	func NewRequestOptions(r *http.Request) *RequestOptions {
	if reqOpt := getFromForm(r.URL.Query()); reqOpt != nil {
	return reqOpt
	}
	if r.Method != http.MethodPost {
	return &RequestOptions{}
	}
	if r.Body == nil {
	return &RequestOptions{}
	}

Because I am concerned that this is open for CSRF attack when you use Cookie authentication. Or am I missing something?

FYI: Apollo itself doesn't allow mutation request via GET method.