On 4 April 2011 14:57, Stephan Richter <srich...@cosmos.phy.tufts.edu> wrote:
> On Monday, April 04, 2011, Laurence Rowe wrote:
>> I'd be interested to know how other z3c.form users approach CSRF protection
>> and what approach they would recommend.
> Hi Lawrence,
> I am okay with (1), but find (3) ore attractive. Since I am not familiar with
> the token solution to avoid CSRF attacks, can you briefly describe the 
> sequence
> that is used to avoid those requests? Maybe we can some up with a tightly
> integrated solution. I have no problem with modifying z3c.form to support such
> a feature.

Hi Stephen,

The authenticator is described on
http://pypi.python.org/pypi/plone.protect, but basically it adds an
HMAC-SHA signed token into the form submission. By validating this you
know that the submission came from a form that your site rendered,
rather than an opportunistic 'drive-by' attack from another site.

I'm happy to go with (3). I assume it is not common for z3c.form users
to have non-button actions or customize the ButtonActionHandler?

Zope-Dev maillist  -  Zope-Dev@zope.org
**  No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope )

Reply via email to