Hi Laurence, Stephan
> Betreff: Re: [Zope-dev] CSRF protection for z3c.form
>
> On Wednesday, April 06, 2011, Laurence Rowe wrote:
> >def update(self):
> >super(Form, self).update()
> >self.updateActions()
> >
On 6 April 2011 22:24, Roger wrote:
> Hi Laurence
>
>> Betreff: Re: [Zope-dev] CSRF protection for z3c.form
>>
>> On 6 April 2011 18:43, Roger wrote:
>> > Hi Laurence
>> >
>> >> Betreff: Re: [Zope-dev] CSRF protection for z3c.form
>> &g
Hi Laurence
> Betreff: Re: [Zope-dev] CSRF protection for z3c.form
>
> On 6 April 2011 18:43, Roger wrote:
> > Hi Laurence
> >
> >> Betreff: Re: [Zope-dev] CSRF protection for z3c.form
> >>
> >> On 4 April 2011 19:16, Roger wrote:
> >&g
On 6 April 2011 18:43, Roger wrote:
> Hi Laurence
>
>> Betreff: Re: [Zope-dev] CSRF protection for z3c.form
>>
>> On 4 April 2011 19:16, Roger wrote:
>> > Hi Shane
>> >
>> >> -Ursprüngliche Nachricht-
>> >> Von: Shane
On 6 April 2011 18:52, Roger wrote:
> Hi Laurence
>
>> Betreff: Re: [Zope-dev] CSRF protection for z3c.form
>>
>> On 4 April 2011 16:53, Stephan Richter
>> wrote:
>> > On Monday, April 04, 2011, Laurence Rowe wrote:
>> >> The authenticato
On 4/6/11 7:43 PM, Roger wrote:
[..]
> I think to protect the form is just a part of a concept.
> Another part must be to prevent to inject JavaScript in
> user generated content. If an application allows to post
> JS in a blog post or comment etc. it should be possible to
> use easydmx to read and
Hi Laurence
> Betreff: Re: [Zope-dev] CSRF protection for z3c.form
>
> On 4 April 2011 16:53, Stephan Richter
> wrote:
> > On Monday, April 04, 2011, Laurence Rowe wrote:
> >> The authenticator is described on
> >> http://pypi.python.org/pypi/plone.
Hi Laurence
> Betreff: Re: [Zope-dev] CSRF protection for z3c.form
>
> On 4 April 2011 19:16, Roger wrote:
> > Hi Shane
> >
> >> -Ursprüngliche Nachricht-
> >> Von: Shane Hathaway [mailto:sh...@hathawaymix.org]
> >> Gesendet: Montag
On 4 April 2011 16:53, Stephan Richter wrote:
> On Monday, April 04, 2011, Laurence Rowe wrote:
>> The authenticator is described on
>> http://pypi.python.org/pypi/plone.protect, but basically it adds an
>> HMAC-SHA signed token into the form submission. By validating this you
>> know that the sub
27;; stephan.rich...@gmail.com
>> Betreff: Re: [Zope-dev] CSRF protection for z3c.form
>>
>> On 04/04/2011 10:22 AM, Roger wrote:
>> > Just because you can write login forms with z3c.form this
>> package has
>> > nothing to do with authentication. That's ju
Hi Stephan
> Betreff: Re: AW: [Zope-dev] CSRF protection for z3c.form
>
> On Monday, April 04, 2011, Roger wrote:
> > Authentication is defently not a part
> > of our z3c.form framework and should not become one.
> >
> > Why do you think authentication has som
Hi Shane
> -Ursprüngliche Nachricht-
> Von: Shane Hathaway [mailto:sh...@hathawaymix.org]
> Gesendet: Montag, 4. April 2011 19:54
> An: d...@projekt01.ch
> Cc: 'Laurence Rowe'; 'zope-dev'; stephan.rich...@gmail.com
> Betreff: Re: [Zope-dev] CSRF
On 04/04/2011 10:22 AM, Roger wrote:
> Just because you can write login forms with
> z3c.form this package has nothing to do with
> authentication. That's just a form framework!
>
> Authentication is defently not a part
> of our z3c.form framework and should not
> become one.
>
> Why do you think a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 04/04/2011 12:23 PM, Wichert Akkerman wrote:
> On 2011-4-4 18:22, Roger wrote:
>> Hi Laurence, Stephan
>>
>> Just because you can write login forms with
>> z3c.form this package has nothing to do with
>> authentication. That's just a form framework!
On 2011-4-4 18:22, Roger wrote:
> Hi Laurence, Stephan
>
> Just because you can write login forms with
> z3c.form this package has nothing to do with
> authentication. That's just a form framework!
>
> Authentication is defently not a part
> of our z3c.form framework and should not
> become one.
>
ng
to do with the z3c.form library? Did I miss
something?
Regards
Roger Ineichen
> -Ursprüngliche Nachricht-
> Von: zope-dev-boun...@zope.org
> [mailto:zope-dev-boun...@zope.org] Im Auftrag von Laurence Rowe
> Gesendet: Montag, 4. April 2011 15:37
> An: zope-dev
> B
On Monday, April 04, 2011, Laurence Rowe wrote:
> The authenticator is described on
> http://pypi.python.org/pypi/plone.protect, but basically it adds an
> HMAC-SHA signed token into the form submission. By validating this you
> know that the submission came from a form that your site rendered,
> r
On 4 April 2011 14:57, Stephan Richter wrote:
> On Monday, April 04, 2011, Laurence Rowe wrote:
>> I'd be interested to know how other z3c.form users approach CSRF protection
>> and what approach they would recommend.
>
> Hi Lawrence,
>
> I am okay with (1), but find (3) ore attractive. Since I am
On Monday, April 04, 2011, Laurence Rowe wrote:
> I'd be interested to know how other z3c.form users approach CSRF protection
> and what approach they would recommend.
Hi Lawrence,
I am okay with (1), but find (3) ore attractive. Since I am not familiar with
the token solution to avoid CSRF atta
I've been looking into how we might add CSRF protection to z3c.form forms as
we will be including z3c.form in Plone 4.1. Currently in Plone, we use
plone.protect to add an authentication token to our forms and then check the
token in the methods that get called. (plone.protect is BSD licensed, but
20 matches
Mail list logo
