* Jan Lehnardt: > thanks for reporting this, but I'm not I understand what's supposed to be > going on. Can I ask you to explain in a little more detail what your concerns > are?
If you have an open Futon session, any web site you visit can write to the Futon database, provided that the URL to the CouchDB instance is known. This is because browsers do not prevent cross-domain POST requests using XMLHttpRequest. The Futon session cookie will not be transmitted by some browsers due to the HttpOnly flag. (Regular form-based POSTs not appear to work as the content type is not correct.) Anyone who can write to the CouchDB instance can upload an HTML document which contains embedded Javascript as an attachment to a document which is reachable with a fixed URL. If a Futon user loads this document accidentally (or loading it is forced by a malicous web page that is displayed with an open Futon session), the Javascript executes with full access to the database (read and write access, including PUT etc. methods). This risk also exists if the browser supports HttpOnly cookies. Is this description more clear?
