* Christopher Lenz: > There is no such thing as a Futon "database" (unless something big
Yeah, the second "Futon" should read "CouchDB". > slipped through my radar recently), and if there's a CSRF problem > with CouchDB I can't see how it'd be related to Futon? Futon is just > a couple of static files that have XHR access to CouchDB due to > being served from the same domain. There is no server-side component > to Futon that handles POST requests etc, everything goes directly to > the CouchDB HTTP API. There is a server-side component which provides access to the HttpOnly cookie (under /_session, IIRC). > AFAICT there's no reason an attacker would want to attack through > Futon rather than going directly through the API. Actually I don't > even see how that would work. CSRF requires an established session, and that's there if Futon is used. >> This is because browsers do not prevent cross-domain POST >> requests using XMLHttpRequest. > > Huh? I'm pretty sure they do prevent exactly that (that's the "same > origin" policy). Not for GET and POST requests. You just can't read the output. (PUT, DELETE etc. are a different matter.)
