Hi, I've been working on CSRF protection for zope.formlib. I have a "csrfprotection" branch in my zope.formlib fork on github. The changes against the current zope.formlib mainline can be found here: https://github.com/janwijbrand/zope.formlib/compare/csrfprotection When creating form components based on zope.formlib.form.FormBase, one can enable this protection just by setting the attribute ``protected`` to True on the component. This implementation is based on the following assumptions: * We do not want to keep server-side state(!) * An "attacker" that attempts CSRF cannot get to information stored in cookies that are meant for the domain of the (forged) request. * The token stored in the cookie is sufficiently random and long, to be practically "unguessable" by the attacker. * The form submit is deemed valid as long as the token in the cookie is identical to a hidden input value that is part of the form submit. My questions: * Do you find this feature useful enough to be, in principle, included in zope.formlib? * I'd like to kindly request someone to review my branch and provide feedback. The included test cases describe a few more questions and concerns about this implementation. Thank you in advance! kind regards, jw