On 4 April 2011 19:16, Roger <d...@projekt01.ch> wrote: > Hi Shane > >> -----Ursprüngliche Nachricht----- >> Von: Shane Hathaway [mailto:sh...@hathawaymix.org] >> Gesendet: Montag, 4. April 2011 19:54 >> An: d...@projekt01.ch >> Cc: 'Laurence Rowe'; 'zope-dev'; stephan.rich...@gmail.com >> Betreff: Re: [Zope-dev] CSRF protection for z3c.form >> >> On 04/04/2011 10:22 AM, Roger wrote: >> > Just because you can write login forms with z3c.form this >> package has >> > nothing to do with authentication. That's just a form framework! >> > >> > Authentication is defently not a part >> > of our z3c.form framework and should not become one. >> > >> > Why do you think authentication has something to do with >> the z3c.form >> > library? Did I miss something? >> >> This thread is using the word authenticate differently than >> most other Zope-related discussions. Here, we are >> authenticating the *form*, not the user. We need to be sure >> that submitted form data was produced by an authentic form. >> Otherwise, a crafty site could cause the user's browser to >> invoke some action in the background. > > > I know what you mean. As long as this is not implemented > in z3c.form I'm fine Because I don't belive in this > kind of protection since I did some very fancy stuff > with easyxdm.