couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Florian Weimer ...@deneb.enyo.de>
Subject Re: Futon cannot use the RESTful HTTP API
Date Fri, 19 Feb 2010 11:36:06 GMT
* Christopher Lenz:

> There is no such thing as a Futon "database" (unless something big

Yeah, the second "Futon" should read "CouchDB".

> slipped through my radar recently), and if there's a CSRF problem
> with CouchDB I can't see how it'd be related to Futon? Futon is just
> a couple of static files that have XHR access to CouchDB due to
> being served from the same domain. There is no server-side component
> to Futon that handles POST requests etc, everything goes directly to
> the CouchDB HTTP API.

There is a server-side component which provides access to the HttpOnly
cookie (under /_session, IIRC).

> AFAICT there's no reason an attacker would want to attack through
> Futon rather than going directly through the API. Actually I don't
> even see how that would work.

CSRF requires an established session, and that's there if Futon is
used.

>>  This is because browsers do not prevent cross-domain POST
>> requests using XMLHttpRequest.
>
> Huh? I'm pretty sure they do prevent exactly that (that's the "same
> origin" policy).

Not for GET and POST requests.  You just can't read the output.  (PUT,
DELETE etc. are a different matter.)

Mime
View raw message