incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sebastian Cohnen <sebastiancoh...@googlemail.com>
Subject Re: application/json header requirements
Date Thu, 12 Aug 2010 06:46:57 GMT
Thanks for the hint, chris. Although I would not rely on specs when it comes to security (especially
not in the webbrowser area^^). But maybe you are right, and current browsers simply don't
allow to do this so we are on the safe side here.

Best

Sebastian

On 12.08.2010, at 08:33, J Chris Anderson wrote:

> 
> On Aug 11, 2010, at 11:25 PM, Sebastian Cohnen wrote:
> 
>> Are you really sure that checking for content-type header prevents CSS/CSRF attacks?
The only thing I can think of to "really" protect cookie-based authentication from this kind
of attacks is to use a non-guessable one-time token to verify the requests origin (e.g. from
a futon page).
>> 
> 
> http://www.w3.org/TR/html5/author/association-of-controls-and-forms.html#form-submission-0
> 
> This suggests the set of allowable content types is limited and does not include application/json.
In my testing I was unable to get any browsers to submit cross-domain forms with application/json
content type.
> 
> If anyone can get a brower to do this, please let us know, as we'll have to figure out
another defense.
> 
> Chris
> 
>> On 12.08.2010, at 02:09, Damien Katz wrote:
>> 
>>> This is to prevent CSS attacks, where an admin is logged into a CouchDB server
and form POST on a hostile webpage can trigger actions. The content type check prevents such
attacks.
>>> 
>>> However, I am thinking instead of requiring application/json, we could instead
check for multiplepart/form-data instead. However, I'm not sure if that's secure or not.
>>> 
>>> Input welcome.
>>> 
>>> -Damien
>>> 
>>> On Aug 10, 2010, at 2:45 PM, Matt Goodall wrote:
>>> 
>>>> Hi,
>>>> 
>>>> Just had to update couchdb-python to send a "Content-Type:
>>>> application/json" header for _ensure_full_commit. Can someone explain
>>>> why the header is needed when there's no content?
>>>> 
>>>> Thanks, Matt
>>> 
>> 
> 


Mime
View raw message