Are you really sure that checking for content-type header prevents CSS/CSRF attacks? The only thing I can think of to "really" protect cookie-based authentication from this kind of attacks is to use a non-guessable one-time token to verify the requests origin (e.g. from a futon page).
On 12.08.2010, at 02:09, Damien Katz wrote: > This is to prevent CSS attacks, where an admin is logged into a CouchDB > server and form POST on a hostile webpage can trigger actions. The content > type check prevents such attacks. > > However, I am thinking instead of requiring application/json, we could > instead check for multiplepart/form-data instead. However, I'm not sure if > that's secure or not. > > Input welcome. > > -Damien > > On Aug 10, 2010, at 2:45 PM, Matt Goodall wrote: > >> Hi, >> >> Just had to update couchdb-python to send a "Content-Type: >> application/json" header for _ensure_full_commit. Can someone explain >> why the header is needed when there's no content? >> >> Thanks, Matt >
