couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From J Chris Anderson <jch...@gmail.com>
Subject Re: Futon cannot use the RESTful HTTP API
Date Fri, 19 Feb 2010 15:04:51 GMT

On Feb 19, 2010, at 6:43 AM, Florian Weimer wrote:

> * Paul Davis:
> 
>> Do you have any examples of how other sites have protected against
>> this? Unless I'm missing something I don't see how this is specific to
>> Futon so surely someone else has some explicit documentation on how to
>> avoid such things.
> 
> The standard countermeasure puts session identifiers into URLs
> (sometimes they are called "form tokens", but this doesn't fit the
> context here).
> 
> Upon login, the client could specify if it wants a session with or
> without form tokens.


Because of the sensitive nature of security issues we've been discussing this on the security
list.

The consensus is that we should use a nonce-based system for any requests that accept form
POSTs.

You've mentioned a couple of times that XHR can make cross-domain post requests. I'm not sure
this is the case (I know you can do cross domain form posts). 

If you have a resource or example showing cross-domain XHR with a JSON content type we'd love
to see it so we can take it into account.

Chris


Mime
View raw message