You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by rn...@apache.org on 2015/09/07 16:30:20 UTC

documentation commit: updated refs/heads/master to 9241367

Repository: couchdb-documentation
Updated Branches:
  refs/heads/master 3074cd10b -> 924136725


Clarify the CSRF does not apply to XHR requests


Project: http://git-wip-us.apache.org/repos/asf/couchdb-documentation/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb-documentation/commit/92413672
Tree: http://git-wip-us.apache.org/repos/asf/couchdb-documentation/tree/92413672
Diff: http://git-wip-us.apache.org/repos/asf/couchdb-documentation/diff/92413672

Branch: refs/heads/master
Commit: 92413672570bbaebe7540361519ffcf6e682989e
Parents: 3074cd1
Author: Robert Newson <rn...@apache.org>
Authored: Mon Sep 7 15:30:12 2015 +0100
Committer: Robert Newson <rn...@apache.org>
Committed: Mon Sep 7 15:30:12 2015 +0100

----------------------------------------------------------------------
 src/config/http.rst | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/couchdb-documentation/blob/92413672/src/config/http.rst
----------------------------------------------------------------------
diff --git a/src/config/http.rst b/src/config/http.rst
index ed1d305..9a93479 100644
--- a/src/config/http.rst
+++ b/src/config/http.rst
@@ -532,12 +532,12 @@ Cross-site Request Forgery protection
 
     `CSRF`, or "Cross-site Request Forgery" is a web-based exploit
     where an attacker can cause a user agent to make an authenticated
-    form post or XHR request against a foreign site without their
-    consent. The attack works because a user agent will send any
-    cookies it has along with the request. The attacker does not see
-    the response, nor can they see the user agent's cookies. The
-    attacker hopes to gain indirectly, e.g, by posting to a password
-    reset form or cause damage by issuing a database delete request.
+    form post against a foreign site without their consent. The attack
+    works because a user agent will send any cookies it has along with
+    the request. The attacker does not see the response, nor can they
+    see the user agent's cookies. The attacker hopes to gain
+    indirectly, e.g, by posting to a password reset form or cause
+    damage by issuing a database delete request.
 
     To prevent this, CouchDB can require a matching request header
     before processing any write request (defined as any method other