From dev-return-8730-apmail-couchdb-dev-archive=couchdb.apache.org@couchdb.apache.org Fri Feb 19 19:44:06 2010 Return-Path: Delivered-To: apmail-couchdb-dev-archive@www.apache.org Received: (qmail 68781 invoked from network); 19 Feb 2010 19:44:06 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 19 Feb 2010 19:44:06 -0000 Received: (qmail 80019 invoked by uid 500); 19 Feb 2010 19:44:05 -0000 Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org Received: (qmail 79924 invoked by uid 500); 19 Feb 2010 19:44:05 -0000 Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@couchdb.apache.org Delivered-To: mailing list dev@couchdb.apache.org Received: (qmail 79913 invoked by uid 99); 19 Feb 2010 19:44:05 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 19 Feb 2010 19:44:05 +0000 X-ASF-Spam-Status: No, hits=1.4 required=10.0 tests=DATE_IN_PAST_03_06,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of jchris@gmail.com designates 209.85.210.203 as permitted sender) Received: from [209.85.210.203] (HELO mail-yx0-f203.google.com) (209.85.210.203) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 19 Feb 2010 19:43:56 +0000 Received: by yxe41 with SMTP id 41so927248yxe.30 for ; Fri, 19 Feb 2010 11:43:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:content-type:mime-version :subject:from:in-reply-to:date:content-transfer-encoding:message-id :references:to:x-mailer; bh=tbhRzd8d6yipjJjYDXRnFG0wPh1sxOoODBVzmThAaXw=; b=i/KVa8+5KeOUYcaXoWBiTSGxlpsEhhHuOF/9Bas5NR35Fz4LT1azjpIaU+mvpE9SAO p1fOuFzljnL1jJegudQMy4Tipjng7dt6Gg6mMnzg2f/O6SaRPDLdUIq1Kv7JffN0xv1E xgs3xU5QgPaGpnNTOiAR818XtbgXNJBG5vdhU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=content-type:mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to:x-mailer; b=x2w3y9/zGv96OGfFiZpmlb32UGeoayUkq8cvS/LpnggJ/n+x2k9JS1YXtHOPAUsY9c FVhLMpr8aTWRXItt+KgYp17Vs8N3Aq+FO5eExaHObEwhSijquyvqZdhpCInexr8QM9is IphhMUrBPrLUeRBuzpT52X3tjKI6oP/eFuBak= Received: by 10.150.55.32 with SMTP id d32mr2374004yba.261.1266608613702; Fri, 19 Feb 2010 11:43:33 -0800 (PST) Received: from ?10.0.0.102? ([216.189.160.250]) by mx.google.com with ESMTPS id 39sm206035yxd.9.2010.02.19.11.43.32 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 19 Feb 2010 11:43:32 -0800 (PST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Apple Message framework v1077) Subject: Re: Futon cannot use the RESTful HTTP API From: J Chris Anderson In-Reply-To: <87sk8xzc10.fsf@mid.deneb.enyo.de> Date: Fri, 19 Feb 2010 10:04:51 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: <69362DE8-1F2D-47F1-91D3-ADD49DF31D74@gmail.com> References: <87bpfz5t39.fsf@mid.deneb.enyo.de> <150F65D6-87CE-4C90-8242-F639F3B3B48D@apache.org> <87bpfnbnzn.fsf@mid.deneb.enyo.de> <87sk8xzc10.fsf@mid.deneb.enyo.de> To: dev@couchdb.apache.org X-Mailer: Apple Mail (2.1077) X-Virus-Checked: Checked by ClamAV on apache.org On Feb 19, 2010, at 6:43 AM, Florian Weimer wrote: > * Paul Davis: >=20 >> Do you have any examples of how other sites have protected against >> this? Unless I'm missing something I don't see how this is specific = to >> Futon so surely someone else has some explicit documentation on how = to >> avoid such things. >=20 > The standard countermeasure puts session identifiers into URLs > (sometimes they are called "form tokens", but this doesn't fit the > context here). >=20 > Upon login, the client could specify if it wants a session with or > without form tokens. Because of the sensitive nature of security issues we've been discussing = this on the security list. The consensus is that we should use a nonce-based system for any = requests that accept form POSTs. You've mentioned a couple of times that XHR can make cross-domain post = requests. I'm not sure this is the case (I know you can do cross domain = form posts).=20 If you have a resource or example showing cross-domain XHR with a JSON = content type we'd love to see it so we can take it into account. Chris