Hi Stephan

> Betreff: Re: AW: [Zope-dev] CSRF protection for z3c.form
> On Monday, April 04, 2011, Roger wrote:
> > Authentication is defently not a part
> > of our z3c.form framework and should not become one.
> > 
> > Why do you think authentication has something to do with 
> the z3c.form 
> > library? Did I miss something?
> Roger, this has nothing to with user authentication, but 
> rather form authenticity, as in: Has the user submitted the 
> same form s/he has received in the first place.

I was confused the first time I was reading. But it
doesn't matter if we check authentication or
page tokens. Both are a check for "did the users
browser access this page before".

But anyway, form authencity is nice but an illusion.
All we can do is to make it harder to attack a form.

> Google "CSRF". The Wikipedia article was pretty good.

I know the different concepts since I wrote some XXS based
bookmark scripts and did some experiments with easyxdm
and z3c.jsonrpcproxy.

In my point of view a page token is just a part
of a security concept and doesn't help as THE solution.

Probably we could implement a mixin class like:

class ProtectorMixin(object):

    def update(self):
        # inject and validate page token
        super(ProtectorMixin, self).update()

Here are my reasons why this should not go to the default classes:

- it slows things down

- it suggests secure forms but doesn't without other
  protection concepts

- it makes the not so simple z3c form concept even
  more complex

- it's an overhead to protect any form by default
  or lookup non existing adapters

What do you think?

Roger Ineichen

Zope-Dev maillist  -  Zope-Dev@zope.org
**  No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope )

Reply via email to