Hi Shane 

> -----Urspr√ľngliche Nachricht-----
> Von: Shane Hathaway [mailto:sh...@hathawaymix.org] 
> Gesendet: Montag, 4. April 2011 19:54
> An: d...@projekt01.ch
> Cc: 'Laurence Rowe'; 'zope-dev'; stephan.rich...@gmail.com
> Betreff: Re: [Zope-dev] CSRF protection for z3c.form
> On 04/04/2011 10:22 AM, Roger wrote:
> > Just because you can write login forms with z3c.form this 
> package has 
> > nothing to do with authentication. That's just a form framework!
> >
> > Authentication is defently not a part
> > of our z3c.form framework and should not become one.
> >
> > Why do you think authentication has something to do with 
> the z3c.form 
> > library? Did I miss something?
> This thread is using the word authenticate differently than 
> most other Zope-related discussions.  Here, we are 
> authenticating the *form*, not the user.  We need to be sure 
> that submitted form data was produced by an authentic form.  
> Otherwise, a crafty site could cause the user's browser to 
> invoke some action in the background.

I know what you mean. As long as this is not implemented
in z3c.form I'm fine Because I don't belive in this 
kind of protection since I did some very fancy stuff
with easyxdm.

Roger Ineichen

> BTW, the CSRF issue has existed as long as HTML forms have 
> existed, but for some reason it has only drawn attention in 
> the past year or two.
> Shane

Zope-Dev maillist  -  Zope-Dev@zope.org
**  No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope )

Reply via email to