Thanks for the hint, chris. Although I would not rely on specs when it comes to security (especially not in the webbrowser area^^). But maybe you are right, and current browsers simply don't allow to do this so we are on the safe side here.
Best Sebastian On 12.08.2010, at 08:33, J Chris Anderson wrote: > > On Aug 11, 2010, at 11:25 PM, Sebastian Cohnen wrote: > >> Are you really sure that checking for content-type header prevents CSS/CSRF >> attacks? The only thing I can think of to "really" protect cookie-based >> authentication from this kind of attacks is to use a non-guessable one-time >> token to verify the requests origin (e.g. from a futon page). >> > > http://www.w3.org/TR/html5/author/association-of-controls-and-forms.html#form-submission-0 > > This suggests the set of allowable content types is limited and does not > include application/json. In my testing I was unable to get any browsers to > submit cross-domain forms with application/json content type. > > If anyone can get a brower to do this, please let us know, as we'll have to > figure out another defense. > > Chris > >> On 12.08.2010, at 02:09, Damien Katz wrote: >> >>> This is to prevent CSS attacks, where an admin is logged into a CouchDB >>> server and form POST on a hostile webpage can trigger actions. The content >>> type check prevents such attacks. >>> >>> However, I am thinking instead of requiring application/json, we could >>> instead check for multiplepart/form-data instead. However, I'm not sure if >>> that's secure or not. >>> >>> Input welcome. >>> >>> -Damien >>> >>> On Aug 10, 2010, at 2:45 PM, Matt Goodall wrote: >>> >>>> Hi, >>>> >>>> Just had to update couchdb-python to send a "Content-Type: >>>> application/json" header for _ensure_full_commit. Can someone explain >>>> why the header is needed when there's no content? >>>> >>>> Thanks, Matt >>> >> >
