incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sebastian Cohnen <sebastiancoh...@googlemail.com>
Subject Re: application/json header requirements
Date Thu, 12 Aug 2010 06:25:41 GMT
Are you really sure that checking for content-type header prevents CSS/CSRF attacks? The only
thing I can think of to "really" protect cookie-based authentication from this kind of attacks
is to use a non-guessable one-time token to verify the requests origin (e.g. from a futon
page).

On 12.08.2010, at 02:09, Damien Katz wrote:

> This is to prevent CSS attacks, where an admin is logged into a CouchDB server and form
POST on a hostile webpage can trigger actions. The content type check prevents such attacks.
> 
> However, I am thinking instead of requiring application/json, we could instead check
for multiplepart/form-data instead. However, I'm not sure if that's secure or not.
> 
> Input welcome.
> 
> -Damien
> 
> On Aug 10, 2010, at 2:45 PM, Matt Goodall wrote:
> 
>> Hi,
>> 
>> Just had to update couchdb-python to send a "Content-Type:
>> application/json" header for _ensure_full_commit. Can someone explain
>> why the header is needed when there's no content?
>> 
>> Thanks, Matt
> 


Mime
View raw message