On Feb 19, 2010, at 6:43 AM, Florian Weimer wrote: > * Paul Davis: > >> Do you have any examples of how other sites have protected against >> this? Unless I'm missing something I don't see how this is specific to >> Futon so surely someone else has some explicit documentation on how to >> avoid such things. > > The standard countermeasure puts session identifiers into URLs > (sometimes they are called "form tokens", but this doesn't fit the > context here). > > Upon login, the client could specify if it wants a session with or > without form tokens.
Because of the sensitive nature of security issues we've been discussing this on the security list. The consensus is that we should use a nonce-based system for any requests that accept form POSTs. You've mentioned a couple of times that XHR can make cross-domain post requests. I'm not sure this is the case (I know you can do cross domain form posts). If you have a resource or example showing cross-domain XHR with a JSON content type we'd love to see it so we can take it into account. Chris