[Zope-dev] CSRF protection for z3c.form
Roger
dev at projekt01.ch
Mon Apr 4 14:56:44 EDT 2011
Hi Stephan
> Betreff: Re: AW: [Zope-dev] CSRF protection for z3c.form
>
> On Monday, April 04, 2011, Roger wrote:
> > Authentication is defently not a part
> > of our z3c.form framework and should not become one.
> >
> > Why do you think authentication has something to do with
> the z3c.form
> > library? Did I miss something?
>
> Roger, this has nothing to with user authentication, but
> rather form authenticity, as in: Has the user submitted the
> same form s/he has received in the first place.
I was confused the first time I was reading. But it
doesn't matter if we check authentication or
page tokens. Both are a check for "did the users
browser access this page before".
But anyway, form authencity is nice but an illusion.
All we can do is to make it harder to attack a form.
> Google "CSRF". The Wikipedia article was pretty good.
I know the different concepts since I wrote some XXS based
bookmark scripts and did some experiments with easyxdm
and z3c.jsonrpcproxy.
In my point of view a page token is just a part
of a security concept and doesn't help as THE solution.
Probably we could implement a mixin class like:
class ProtectorMixin(object):
def update(self):
# inject and validate page token
super(ProtectorMixin, self).update()
Here are my reasons why this should not go to the default classes:
- it slows things down
- it suggests secure forms but doesn't without other
protection concepts
- it makes the not so simple z3c form concept even
more complex
- it's an overhead to protect any form by default
or lookup non existing adapters
What do you think?
Regards
Roger Ineichen
More information about the Zope-Dev
mailing list