On 4 April 2011 14:57, Stephan Richter <srich...@cosmos.phy.tufts.edu> wrote: > On Monday, April 04, 2011, Laurence Rowe wrote: >> I'd be interested to know how other z3c.form users approach CSRF protection >> and what approach they would recommend. > > Hi Lawrence, > > I am okay with (1), but find (3) ore attractive. Since I am not familiar with > the token solution to avoid CSRF attacks, can you briefly describe the > sequence > that is used to avoid those requests? Maybe we can some up with a tightly > integrated solution. I have no problem with modifying z3c.form to support such > a feature.
Hi Stephen, The authenticator is described on http://pypi.python.org/pypi/plone.protect, but basically it adds an HMAC-SHA signed token into the form submission. By validating this you know that the submission came from a form that your site rendered, rather than an opportunistic 'drive-by' attack from another site. I'm happy to go with (3). I assume it is not common for z3c.form users to have non-button actions or customize the ButtonActionHandler? Laurence _______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )