You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@couchdb.apache.org by Matt Goodall <ma...@gmail.com> on 2010/08/10 23:45:04 UTC
application/json header requirements
Hi,
Just had to update couchdb-python to send a "Content-Type:
application/json" header for _ensure_full_commit. Can someone explain
why the header is needed when there's no content?
Thanks, Matt
Re: application/json header requirements
Posted by Sebastian Cohnen <se...@googlemail.com>.
Thanks for the hint, chris. Although I would not rely on specs when it comes to security (especially not in the webbrowser area^^). But maybe you are right, and current browsers simply don't allow to do this so we are on the safe side here.
Best
Sebastian
On 12.08.2010, at 08:33, J Chris Anderson wrote:
>
> On Aug 11, 2010, at 11:25 PM, Sebastian Cohnen wrote:
>
>> Are you really sure that checking for content-type header prevents CSS/CSRF attacks? The only thing I can think of to "really" protect cookie-based authentication from this kind of attacks is to use a non-guessable one-time token to verify the requests origin (e.g. from a futon page).
>>
>
> http://www.w3.org/TR/html5/author/association-of-controls-and-forms.html#form-submission-0
>
> This suggests the set of allowable content types is limited and does not include application/json. In my testing I was unable to get any browsers to submit cross-domain forms with application/json content type.
>
> If anyone can get a brower to do this, please let us know, as we'll have to figure out another defense.
>
> Chris
>
>> On 12.08.2010, at 02:09, Damien Katz wrote:
>>
>>> This is to prevent CSS attacks, where an admin is logged into a CouchDB server and form POST on a hostile webpage can trigger actions. The content type check prevents such attacks.
>>>
>>> However, I am thinking instead of requiring application/json, we could instead check for multiplepart/form-data instead. However, I'm not sure if that's secure or not.
>>>
>>> Input welcome.
>>>
>>> -Damien
>>>
>>> On Aug 10, 2010, at 2:45 PM, Matt Goodall wrote:
>>>
>>>> Hi,
>>>>
>>>> Just had to update couchdb-python to send a "Content-Type:
>>>> application/json" header for _ensure_full_commit. Can someone explain
>>>> why the header is needed when there's no content?
>>>>
>>>> Thanks, Matt
>>>
>>
>
Re: application/json header requirements
Posted by J Chris Anderson <jc...@apache.org>.
On Aug 11, 2010, at 11:25 PM, Sebastian Cohnen wrote:
> Are you really sure that checking for content-type header prevents CSS/CSRF attacks? The only thing I can think of to "really" protect cookie-based authentication from this kind of attacks is to use a non-guessable one-time token to verify the requests origin (e.g. from a futon page).
>
http://www.w3.org/TR/html5/author/association-of-controls-and-forms.html#form-submission-0
This suggests the set of allowable content types is limited and does not include application/json. In my testing I was unable to get any browsers to submit cross-domain forms with application/json content type.
If anyone can get a brower to do this, please let us know, as we'll have to figure out another defense.
Chris
> On 12.08.2010, at 02:09, Damien Katz wrote:
>
>> This is to prevent CSS attacks, where an admin is logged into a CouchDB server and form POST on a hostile webpage can trigger actions. The content type check prevents such attacks.
>>
>> However, I am thinking instead of requiring application/json, we could instead check for multiplepart/form-data instead. However, I'm not sure if that's secure or not.
>>
>> Input welcome.
>>
>> -Damien
>>
>> On Aug 10, 2010, at 2:45 PM, Matt Goodall wrote:
>>
>>> Hi,
>>>
>>> Just had to update couchdb-python to send a "Content-Type:
>>> application/json" header for _ensure_full_commit. Can someone explain
>>> why the header is needed when there's no content?
>>>
>>> Thanks, Matt
>>
>
Re: application/json header requirements
Posted by Sebastian Cohnen <se...@googlemail.com>.
Are you really sure that checking for content-type header prevents CSS/CSRF attacks? The only thing I can think of to "really" protect cookie-based authentication from this kind of attacks is to use a non-guessable one-time token to verify the requests origin (e.g. from a futon page).
On 12.08.2010, at 02:09, Damien Katz wrote:
> This is to prevent CSS attacks, where an admin is logged into a CouchDB server and form POST on a hostile webpage can trigger actions. The content type check prevents such attacks.
>
> However, I am thinking instead of requiring application/json, we could instead check for multiplepart/form-data instead. However, I'm not sure if that's secure or not.
>
> Input welcome.
>
> -Damien
>
> On Aug 10, 2010, at 2:45 PM, Matt Goodall wrote:
>
>> Hi,
>>
>> Just had to update couchdb-python to send a "Content-Type:
>> application/json" header for _ensure_full_commit. Can someone explain
>> why the header is needed when there's no content?
>>
>> Thanks, Matt
>
Re: application/json header requirements
Posted by Damien Katz <da...@apache.org>.
This is to prevent CSS attacks, where an admin is logged into a CouchDB server and form POST on a hostile webpage can trigger actions. The content type check prevents such attacks.
However, I am thinking instead of requiring application/json, we could instead check for multiplepart/form-data instead. However, I'm not sure if that's secure or not.
Input welcome.
-Damien
On Aug 10, 2010, at 2:45 PM, Matt Goodall wrote:
> Hi,
>
> Just had to update couchdb-python to send a "Content-Type:
> application/json" header for _ensure_full_commit. Can someone explain
> why the header is needed when there's no content?
>
> Thanks, Matt
Re: application/json header requirements
Posted by Damien Katz <da...@apache.org>.
This is to prevent CSS attacks, where an admin is logged into a CouchDB server and form POST on a hostile webpage can trigger actions. The content type check prevents such attacks.
However, I am thinking instead of requiring application/json, we could instead check for multiplepart/form-data instead. However, I'm not sure if that's secure or not.
Input welcome.
-Damien
On Aug 10, 2010, at 2:45 PM, Matt Goodall wrote:
> Hi,
>
> Just had to update couchdb-python to send a "Content-Type:
> application/json" header for _ensure_full_commit. Can someone explain
> why the header is needed when there's no content?
>
> Thanks, Matt