Hi Florian, thanks for reporting this, but I'm not I understand what's supposed to be going on. Can I ask you to explain in a little more detail what your concerns are?
Cheers Jan -- On 8 Feb 2010, at 13:13, Florian Weimer wrote: > Due to CSRF issues, Futon cannot use that API. You really need to > include some sort of token in the URL (or in an HTTP header) which > does not get passed on automatically by the browser. Right now, > you're relying on HttpOnly support in the browser, which is not > available universally. > > You also have a cross-site scripting issue with uploaded document > attachments. Right now, it is possible to use an inline document > attachment in a POST request for a new document to upload Javascript > to the server, and have it served back to you for execution. At this > point, the same-origin restrictions do not apply anymore. > Unfortunately, it is a bit difficult to stop browsers from > interpreting crafted blobs as HTML, so I have no good advice to offer > here. Even if the first issue is addressed, you still have to deal > with Futon users viewing attachments accidentally.
