Return-Path: Delivered-To: apmail-couchdb-dev-archive@www.apache.org Received: (qmail 35171 invoked from network); 17 Feb 2010 21:47:41 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 17 Feb 2010 21:47:41 -0000 Received: (qmail 39976 invoked by uid 500); 17 Feb 2010 21:47:40 -0000 Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org Received: (qmail 39887 invoked by uid 500); 17 Feb 2010 21:47:40 -0000 Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@couchdb.apache.org Delivered-To: mailing list dev@couchdb.apache.org Received: (qmail 39877 invoked by uid 99); 17 Feb 2010 21:47:40 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 17 Feb 2010 21:47:40 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of paul.joseph.davis@gmail.com designates 209.85.210.198 as permitted sender) Received: from [209.85.210.198] (HELO mail-yx0-f198.google.com) (209.85.210.198) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 17 Feb 2010 21:47:32 +0000 Received: by yxe36 with SMTP id 36so4914769yxe.13 for ; Wed, 17 Feb 2010 13:47:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:content-type :content-transfer-encoding; bh=qimze9NzFlFe3xjcYcVihzPuklO4SFhYTsa7JyhnjFI=; b=bduCVR1Lt3594chVy4sMcB3v6WWgvKqpZsLkfT5xoRo6EiMIo/ubU0kY1IKONF+UFD R+x1vaNEXUpECsE9VWcaP44q5A+aClNRMSnzHd4SqHEPVc/Cmk2bH/CAYZRu4OFAgK71 0APW9JRMStpMVU7Xq+ohay2BdUfFTDMckOAPQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type:content-transfer-encoding; b=o6ROtgOF4mIBQTZ6YQ0dxlnCnBEmR3uEwIuhmpDNgCrYIXGw0pDGF9h2zsFzckrnnI C2gABsgCczjOugyHbi6vWW14Ir3hD+k89XdAJZOni3zLPxXjDvqh0kjXUDvFVejexHg5 ty+NncL/7zFP3rgIDPyl5OTGpc/u28IMVnohM= MIME-Version: 1.0 Received: by 10.101.185.29 with SMTP id m29mr4556936anp.191.1266443231485; Wed, 17 Feb 2010 13:47:11 -0800 (PST) In-Reply-To: <87bpfnbnzn.fsf@mid.deneb.enyo.de> References: <87bpfz5t39.fsf@mid.deneb.enyo.de> <150F65D6-87CE-4C90-8242-F639F3B3B48D@apache.org> <87bpfnbnzn.fsf@mid.deneb.enyo.de> From: Paul Davis Date: Wed, 17 Feb 2010 16:46:51 -0500 Message-ID: Subject: Re: Futon cannot use the RESTful HTTP API To: dev@couchdb.apache.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org Florian, Do you have any examples of how other sites have protected against this? Unless I'm missing something I don't see how this is specific to Futon so surely someone else has some explicit documentation on how to avoid such things. Thanks, Paul Davis On Wed, Feb 17, 2010 at 3:34 PM, Florian Weimer wrote: > * Jan Lehnardt: > >> thanks for reporting this, but I'm not I understand what's supposed to b= e >> going on. Can I ask you to explain in a little more detail what your con= cerns >> are? > > If you have an open Futon session, any web site you visit can write to > the Futon database, provided that the URL to the CouchDB instance is > known. =A0This is because browsers do not prevent cross-domain POST > requests using XMLHttpRequest. =A0The Futon session cookie will not be > transmitted by some browsers due to the HttpOnly flag. =A0(Regular > form-based POSTs not appear to work as the content type is not > correct.) > > Anyone who can write to the CouchDB instance can upload an HTML > document which contains embedded Javascript as an attachment to a > document which is reachable with a fixed URL. =A0If a Futon user loads > this document accidentally (or loading it is forced by a malicous web > page that is displayed with an open Futon session), the Javascript > executes with full access to the database (read and write access, > including PUT etc. methods). =A0This risk also exists if the browser > supports HttpOnly cookies. > > Is this description more clear? >