On Aug 11, 2010, at 11:25 PM, Sebastian Cohnen wrote: > Are you really sure that checking for content-type header prevents CSS/CSRF > attacks? The only thing I can think of to "really" protect cookie-based > authentication from this kind of attacks is to use a non-guessable one-time > token to verify the requests origin (e.g. from a futon page). >
http://www.w3.org/TR/html5/author/association-of-controls-and-forms.html#form-submission-0 This suggests the set of allowable content types is limited and does not include application/json. In my testing I was unable to get any browsers to submit cross-domain forms with application/json content type. If anyone can get a brower to do this, please let us know, as we'll have to figure out another defense. Chris > On 12.08.2010, at 02:09, Damien Katz wrote: > >> This is to prevent CSS attacks, where an admin is logged into a CouchDB >> server and form POST on a hostile webpage can trigger actions. The content >> type check prevents such attacks. >> >> However, I am thinking instead of requiring application/json, we could >> instead check for multiplepart/form-data instead. However, I'm not sure if >> that's secure or not. >> >> Input welcome. >> >> -Damien >> >> On Aug 10, 2010, at 2:45 PM, Matt Goodall wrote: >> >>> Hi, >>> >>> Just had to update couchdb-python to send a "Content-Type: >>> application/json" header for _ensure_full_commit. Can someone explain >>> why the header is needed when there's no content? >>> >>> Thanks, Matt >> >
