[
https://issues.apache.org/jira/browse/COUCHDB-2797?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14728924#comment-14728924
]
Dale Harvey commented on COUCHDB-2797:
--------------------------------------
As for flash, flash also protects against this with its own version of CORS,
(crossdomain.xml), and as for future changes to browser allowing arbitrary
application/json POSTS, if they do every change they are well aware that that
would make most JSON services suddenly open to CSRF so will likely also be
subject to CORS restrictions (https://github.com/darobin/formic/issues/8)
> Apply CSRF protection only to form submissions
> ----------------------------------------------
>
> Key: COUCHDB-2797
> URL: https://issues.apache.org/jira/browse/COUCHDB-2797
> Project: CouchDB
> Issue Type: Bug
> Security Level: public(Regular issues)
> Reporter: Robert Newson
>
> The new CSRF double-submit protection should be applied to form submissions,
> not all requests. XHR requests, in particular, are not vulnerable to CSRF, so
> we should skip the check there, saving middleware and other tools the effort
> of supporting this feature.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
