couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Damien Katz <dam...@apache.org>
Subject Re: application/json header requirements
Date Thu, 12 Aug 2010 00:09:46 GMT
This is to prevent CSS attacks, where an admin is logged into a CouchDB server and form POST
on a hostile webpage can trigger actions. The content type check prevents such attacks.

However, I am thinking instead of requiring application/json, we could instead check for multiplepart/form-data
instead. However, I'm not sure if that's secure or not.

Input welcome.

-Damien

On Aug 10, 2010, at 2:45 PM, Matt Goodall wrote:

> Hi,
> 
> Just had to update couchdb-python to send a "Content-Type:
> application/json" header for _ensure_full_commit. Can someone explain
> why the header is needed when there's no content?
> 
> Thanks, Matt


Mime
View raw message