Due to CSRF issues, Futon cannot use that API. You really need to include some sort of token in the URL (or in an HTTP header) which does not get passed on automatically by the browser. Right now, you're relying on HttpOnly support in the browser, which is not available universally.
You also have a cross-site scripting issue with uploaded document attachments. Right now, it is possible to use an inline document attachment in a POST request for a new document to upload Javascript to the server, and have it served back to you for execution. At this point, the same-origin restrictions do not apply anymore. Unfortunately, it is a bit difficult to stop browsers from interpreting crafted blobs as HTML, so I have no good advice to offer here. Even if the first issue is addressed, you still have to deal with Futon users viewing attachments accidentally.