couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Lehnardt <...@apache.org>
Subject Re: Futon cannot use the RESTful HTTP API
Date Tue, 16 Feb 2010 22:47:30 GMT
Hi Florian,

thanks for reporting this, but I'm not I understand what's supposed to be
going on. Can I ask you to explain in a little more detail what your concerns
are?

Cheers
Jan
--



On 8 Feb 2010, at 13:13, Florian Weimer wrote:

> Due to CSRF issues, Futon cannot use that API.  You really need to
> include some sort of token in the URL (or in an HTTP header) which
> does not get passed on automatically by the browser.  Right now,
> you're relying on HttpOnly support in the browser, which is not
> available universally.
> 
> You also have a cross-site scripting issue with uploaded document
> attachments.  Right now, it is possible to use an inline document
> attachment in a POST request for a new document to upload Javascript
> to the server, and have it served back to you for execution.  At this
> point, the same-origin restrictions do not apply anymore.
> Unfortunately, it is a bit difficult to stop browsers from
> interpreting crafted blobs as HTML, so I have no good advice to offer
> here.  Even if the first issue is addressed, you still have to deal
> with Futon users viewing attachments accidentally.


Mime
View raw message