Florian, Do you have any examples of how other sites have protected against this? Unless I'm missing something I don't see how this is specific to Futon so surely someone else has some explicit documentation on how to avoid such things.
Thanks, Paul Davis On Wed, Feb 17, 2010 at 3:34 PM, Florian Weimer <[email protected]> wrote: > * Jan Lehnardt: > >> thanks for reporting this, but I'm not I understand what's supposed to be >> going on. Can I ask you to explain in a little more detail what your concerns >> are? > > If you have an open Futon session, any web site you visit can write to > the Futon database, provided that the URL to the CouchDB instance is > known. This is because browsers do not prevent cross-domain POST > requests using XMLHttpRequest. The Futon session cookie will not be > transmitted by some browsers due to the HttpOnly flag. (Regular > form-based POSTs not appear to work as the content type is not > correct.) > > Anyone who can write to the CouchDB instance can upload an HTML > document which contains embedded Javascript as an attachment to a > document which is reachable with a fixed URL. If a Futon user loads > this document accidentally (or loading it is forced by a malicous web > page that is displayed with an open Futon session), the Javascript > executes with full access to the database (read and write access, > including PUT etc. methods). This risk also exists if the browser > supports HttpOnly cookies. > > Is this description more clear? >
