[Zope-dev] CSRF protection for z3c.form
Roger
dev at projekt01.ch
Mon Apr 4 14:16:28 EDT 2011
Hi Shane
> -----Ursprüngliche Nachricht-----
> Von: Shane Hathaway [mailto:shane at hathawaymix.org]
> Gesendet: Montag, 4. April 2011 19:54
> An: dev at projekt01.ch
> Cc: 'Laurence Rowe'; 'zope-dev'; stephan.richter at gmail.com
> Betreff: Re: [Zope-dev] CSRF protection for z3c.form
>
> On 04/04/2011 10:22 AM, Roger wrote:
> > Just because you can write login forms with z3c.form this
> package has
> > nothing to do with authentication. That's just a form framework!
> >
> > Authentication is defently not a part
> > of our z3c.form framework and should not become one.
> >
> > Why do you think authentication has something to do with
> the z3c.form
> > library? Did I miss something?
>
> This thread is using the word authenticate differently than
> most other Zope-related discussions. Here, we are
> authenticating the *form*, not the user. We need to be sure
> that submitted form data was produced by an authentic form.
> Otherwise, a crafty site could cause the user's browser to
> invoke some action in the background.
I know what you mean. As long as this is not implemented
in z3c.form I'm fine Because I don't belive in this
kind of protection since I did some very fancy stuff
with easyxdm.
Regards
Roger Ineichen
> BTW, the CSRF issue has existed as long as HTML forms have
> existed, but for some reason it has only drawn attention in
> the past year or two.
>
> Shane
>
More information about the Zope-Dev
mailing list