On 4 April 2011 14:57, Stephan Richter <srichter@cosmos.phy.tufts.edu> wrote:
On Monday, April 04, 2011, Laurence Rowe wrote:
I'd be interested to know how other z3c.form users approach CSRF protection and what approach they would recommend.
Hi Lawrence,
I am okay with (1), but find (3) ore attractive. Since I am not familiar with the token solution to avoid CSRF attacks, can you briefly describe the sequence that is used to avoid those requests? Maybe we can some up with a tightly integrated solution. I have no problem with modifying z3c.form to support such a feature.
Hi Stephen, The authenticator is described on http://pypi.python.org/pypi/plone.protect, but basically it adds an HMAC-SHA signed token into the form submission. By validating this you know that the submission came from a form that your site rendered, rather than an opportunistic 'drive-by' attack from another site. I'm happy to go with (3). I assume it is not common for z3c.form users to have non-button actions or customize the ButtonActionHandler? Laurence