This is to prevent CSS attacks, where an admin is logged into a CouchDB server and form POST on a hostile webpage can trigger actions. The content type check prevents such attacks.
However, I am thinking instead of requiring application/json, we could instead check for multiplepart/form-data instead. However, I'm not sure if that's secure or not. Input welcome. -Damien On Aug 10, 2010, at 2:45 PM, Matt Goodall wrote: > Hi, > > Just had to update couchdb-python to send a "Content-Type: > application/json" header for _ensure_full_commit. Can someone explain > why the header is needed when there's no content? > > Thanks, Matt
