Hi Stephan
Betreff: Re: AW: [Zope-dev] CSRF protection for z3c.form
On Monday, April 04, 2011, Roger wrote:
Authentication is defently not a part of our z3c.form framework and should not become one.
Why do you think authentication has something to do with the z3c.form library? Did I miss something?
Roger, this has nothing to with user authentication, but rather form authenticity, as in: Has the user submitted the same form s/he has received in the first place.
I was confused the first time I was reading. But it doesn't matter if we check authentication or page tokens. Both are a check for "did the users browser access this page before". But anyway, form authencity is nice but an illusion. All we can do is to make it harder to attack a form.
Google "CSRF". The Wikipedia article was pretty good.
I know the different concepts since I wrote some XXS based bookmark scripts and did some experiments with easyxdm and z3c.jsonrpcproxy. In my point of view a page token is just a part of a security concept and doesn't help as THE solution. Probably we could implement a mixin class like: class ProtectorMixin(object): def update(self): # inject and validate page token super(ProtectorMixin, self).update() Here are my reasons why this should not go to the default classes: - it slows things down - it suggests secure forms but doesn't without other protection concepts - it makes the not so simple z3c form concept even more complex - it's an overhead to protect any form by default or lookup non existing adapters What do you think? Regards Roger Ineichen