couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From J Chris Anderson <jch...@apache.org>
Subject Re: application/json header requirements
Date Thu, 12 Aug 2010 06:33:42 GMT

On Aug 11, 2010, at 11:25 PM, Sebastian Cohnen wrote:

> Are you really sure that checking for content-type header prevents CSS/CSRF attacks?
The only thing I can think of to "really" protect cookie-based authentication from this kind
of attacks is to use a non-guessable one-time token to verify the requests origin (e.g. from
a futon page).
> 

http://www.w3.org/TR/html5/author/association-of-controls-and-forms.html#form-submission-0

This suggests the set of allowable content types is limited and does not include application/json.
In my testing I was unable to get any browsers to submit cross-domain forms with application/json
content type.

If anyone can get a brower to do this, please let us know, as we'll have to figure out another
defense.

Chris

> On 12.08.2010, at 02:09, Damien Katz wrote:
> 
>> This is to prevent CSS attacks, where an admin is logged into a CouchDB server and
form POST on a hostile webpage can trigger actions. The content type check prevents such attacks.
>> 
>> However, I am thinking instead of requiring application/json, we could instead check
for multiplepart/form-data instead. However, I'm not sure if that's secure or not.
>> 
>> Input welcome.
>> 
>> -Damien
>> 
>> On Aug 10, 2010, at 2:45 PM, Matt Goodall wrote:
>> 
>>> Hi,
>>> 
>>> Just had to update couchdb-python to send a "Content-Type:
>>> application/json" header for _ensure_full_commit. Can someone explain
>>> why the header is needed when there's no content?
>>> 
>>> Thanks, Matt
>> 
> 


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message