Return-Path: 
 <user-return-12012-apmail-couchdb-user-archive=couchdb.apache.org@couchdb.apache.org>
Delivered-To: apmail-couchdb-user-archive@www.apache.org
Received: (qmail 16815 invoked from network); 12 Aug 2010 00:10:18 -0000
Received: from unknown (HELO mail.apache.org) (140.211.11.3)
  by 140.211.11.9 with SMTP; 12 Aug 2010 00:10:18 -0000
Received: (qmail 62251 invoked by uid 500); 12 Aug 2010 00:10:17 -0000
Delivered-To: apmail-couchdb-user-archive@couchdb.apache.org
Received: (qmail 62203 invoked by uid 500); 12 Aug 2010 00:10:16 -0000
Mailing-List: contact user-help@couchdb.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:user-help@couchdb.apache.org>
List-Unsubscribe: <mailto:user-unsubscribe@couchdb.apache.org>
List-Post: <mailto:user@couchdb.apache.org>
List-Id: <user.couchdb.apache.org>
Reply-To: user@couchdb.apache.org
Delivered-To: mailing list user@couchdb.apache.org
Received: (qmail 62195 invoked by uid 99); 12 Aug 2010 00:10:16 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 12 Aug 2010 00:10:16 +0000
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
	tests=RCVD_IN_DNSWL_LOW,SPF_NEUTRAL
X-Spam-Check-By: apache.org
Received-SPF: neutral (athena.apache.org: local policy)
Received: from [209.68.5.17] (HELO relay03.pair.com) (209.68.5.17)
    by apache.org (qpsmtpd/0.29) with SMTP; Thu, 12 Aug 2010 00:10:09 +0000
Received: (qmail 67616 invoked from network); 12 Aug 2010 00:09:47 -0000
Received: from 74.1.186.35 (HELO ?10.0.1.205?) (74.1.186.35)
  by relay03.pair.com with SMTP; 12 Aug 2010 00:09:47 -0000
X-pair-Authenticated: 74.1.186.35
Subject: Re: application/json header requirements
Mime-Version: 1.0 (Apple Message framework v1081)
Content-Type: text/plain; charset=us-ascii
From: Damien Katz <damien@apache.org>
In-Reply-To: <AANLkTi=hhj57R-_8jYHMHWA3QeCX2jm95ivKXffVVqZD@mail.gmail.com>
Date: Wed, 11 Aug 2010 17:09:46 -0700
Cc: dev@couchdb.apache.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <CA066FF4-F8F9-460F-86BD-66EFBE884682@apache.org>
References: <AANLkTi=hhj57R-_8jYHMHWA3QeCX2jm95ivKXffVVqZD@mail.gmail.com>
To: user@couchdb.apache.org
X-Mailer: Apple Mail (2.1081)

This is to prevent CSS attacks, where an admin is logged into a CouchDB =
server and form POST on a hostile webpage can trigger actions. The =
content type check prevents such attacks.

However, I am thinking instead of requiring application/json, we could =
instead check for multiplepart/form-data instead. However, I'm not sure =
if that's secure or not.

Input welcome.

-Damien

On Aug 10, 2010, at 2:45 PM, Matt Goodall wrote:

> Hi,
>=20
> Just had to update couchdb-python to send a "Content-Type:
> application/json" header for _ensure_full_commit. Can someone explain
> why the header is needed when there's no content?
>=20
> Thanks, Matt