On 4 April 2011 14:57, Stephan Richter <srich...@cosmos.phy.tufts.edu> wrote:
> On Monday, April 04, 2011, Laurence Rowe wrote:
>> I'd be interested to know how other z3c.form users approach CSRF protection
>> and what approach they would recommend.
> Hi Lawrence,
> I am okay with (1), but find (3) ore attractive. Since I am not familiar with
> the token solution to avoid CSRF attacks, can you briefly describe the
> that is used to avoid those requests? Maybe we can some up with a tightly
> integrated solution. I have no problem with modifying z3c.form to support such
> a feature.
The authenticator is described on
http://pypi.python.org/pypi/plone.protect, but basically it adds an
HMAC-SHA signed token into the form submission. By validating this you
know that the submission came from a form that your site rendered,
rather than an opportunistic 'drive-by' attack from another site.
I'm happy to go with (3). I assume it is not common for z3c.form users
to have non-button actions or customize the ButtonActionHandler?
Zope-Dev maillist - Zope-Dev@zope.org
** No cross posts or HTML encoding! **
(Related lists -