> Betreff: Re: AW: [Zope-dev] CSRF protection for z3c.form
> On Monday, April 04, 2011, Roger wrote:
> > Authentication is defently not a part
> > of our z3c.form framework and should not become one.
> > Why do you think authentication has something to do with
> the z3c.form
> > library? Did I miss something?
> Roger, this has nothing to with user authentication, but
> rather form authenticity, as in: Has the user submitted the
> same form s/he has received in the first place.
I was confused the first time I was reading. But it
doesn't matter if we check authentication or
page tokens. Both are a check for "did the users
browser access this page before".
But anyway, form authencity is nice but an illusion.
All we can do is to make it harder to attack a form.
> Google "CSRF". The Wikipedia article was pretty good.
I know the different concepts since I wrote some XXS based
bookmark scripts and did some experiments with easyxdm
In my point of view a page token is just a part
of a security concept and doesn't help as THE solution.
Probably we could implement a mixin class like:
# inject and validate page token
Here are my reasons why this should not go to the default classes:
- it slows things down
- it suggests secure forms but doesn't without other
- it makes the not so simple z3c form concept even
- it's an overhead to protect any form by default
or lookup non existing adapters
What do you think?
Zope-Dev maillist - Zope-Dev@zope.org
** No cross posts or HTML encoding! **
(Related lists -