On 4 April 2011 19:16, Roger <d...@projekt01.ch> wrote:
> Hi Shane
>> -----Ursprüngliche Nachricht-----
>> Von: Shane Hathaway [mailto:sh...@hathawaymix.org]
>> Gesendet: Montag, 4. April 2011 19:54
>> An: d...@projekt01.ch
>> Cc: 'Laurence Rowe'; 'zope-dev'; stephan.rich...@gmail.com
>> Betreff: Re: [Zope-dev] CSRF protection for z3c.form
>> On 04/04/2011 10:22 AM, Roger wrote:
>> > Just because you can write login forms with z3c.form this
>> package has
>> > nothing to do with authentication. That's just a form framework!
>> > Authentication is defently not a part
>> > of our z3c.form framework and should not become one.
>> > Why do you think authentication has something to do with
>> the z3c.form
>> > library? Did I miss something?
>> This thread is using the word authenticate differently than
>> most other Zope-related discussions. Here, we are
>> authenticating the *form*, not the user. We need to be sure
>> that submitted form data was produced by an authentic form.
>> Otherwise, a crafty site could cause the user's browser to
>> invoke some action in the background.
> I know what you mean. As long as this is not implemented
> in z3c.form I'm fine Because I don't belive in this
> kind of protection since I did some very fancy stuff
> with easyxdm.
Could you please describe in more detail why you don't believe in this
sort of protection? As far as I can see the easyxdv messaging stuff
no impact on the efficacy of form authenticators.
Zope-Dev maillist - Zope-Dev@zope.org
** No cross posts or HTML encoding! **
(Related lists -