Hi,
I've been working on CSRF protection for zope.formlib.
I have a "csrfprotection" branch in my zope.formlib fork on github. The
changes against the current zope.formlib mainline can be found here:
https://github.com/janwijbrand/zope.formlib/compare/csrfprotection
When creating form components based on zope.formlib.form.FormBase, one
can enable this protection just by setting the attribute ``protected``
to True on the component.
This implementation is based on the following assumptions:
* We do not want to keep server-side state(!)
* An "attacker" that attempts CSRF cannot get to information stored in
cookies that are meant for the domain of the (forged) request.
* The token stored in the cookie is sufficiently random and long, to be
practically "unguessable" by the attacker.
* The form submit is deemed valid as long as the token in the cookie is
identical to a hidden input value that is part of the form submit.
My questions:
* Do you find this feature useful enough to be, in principle, included
in zope.formlib?
* I'd like to kindly request someone to review my branch and provide
feedback.
The included test cases describe a few more questions and concerns about
this implementation.
Thank you in advance!
kind regards, jw
_______________________________________________
Zope-Dev maillist - Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope-announce
https://mail.zope.org/mailman/listinfo/zope )
