[Zope-dev] CSRF protection for z3c.form
Roger
dev at projekt01.ch
Wed Apr 6 13:43:15 EDT 2011
Hi Laurence
> Betreff: Re: [Zope-dev] CSRF protection for z3c.form
>
> On 4 April 2011 19:16, Roger <dev at projekt01.ch> wrote:
> > Hi Shane
> >
> >> -----Ursprüngliche Nachricht-----
> >> Von: Shane Hathaway [mailto:shane at hathawaymix.org]
> >> Gesendet: Montag, 4. April 2011 19:54
> >> An: dev at projekt01.ch
> >> Cc: 'Laurence Rowe'; 'zope-dev'; stephan.richter at gmail.com
> >> Betreff: Re: [Zope-dev] CSRF protection for z3c.form
> >>
> >> On 04/04/2011 10:22 AM, Roger wrote:
> >> > Just because you can write login forms with z3c.form this
> >> package has
> >> > nothing to do with authentication. That's just a form framework!
> >> >
> >> > Authentication is defently not a part of our z3c.form
> framework and
> >> > should not become one.
> >> >
> >> > Why do you think authentication has something to do with
> >> the z3c.form
> >> > library? Did I miss something?
> >>
> >> This thread is using the word authenticate differently than most
> >> other Zope-related discussions. Here, we are authenticating the
> >> *form*, not the user. We need to be sure that submitted form data
> >> was produced by an authentic form.
> >> Otherwise, a crafty site could cause the user's browser to invoke
> >> some action in the background.
> >
> >
> > I know what you mean. As long as this is not implemented in
> z3c.form
> > I'm fine Because I don't belive in this kind of protection
> since I did
> > some very fancy stuff with easyxdm.
>
> Roger,
>
> Could you please describe in more detail why you don't
> believe in this sort of protection? As far as I can see the
> easyxdv messaging stuff requires supporting javascript to be
> executed in the context of both documents, so modulo any
> javascript injection vulnerabilities, it has no impact on the
> efficacy of form authenticators.
I think to protect the form is just a part of a concept.
Another part must be to prevent to inject JavaScript in
user generated content. If an application allows to post
JS in a blog post or comment etc. it should be possible to
use easydmx to read and re-use the secure form token.
(not approved but should work)
One of my bigger concern is also that such a token will
break a lot of our tests which whould force us to use
custom non security token generating form classes.
I'm fine in general for implement such a concept
in z3c.form but it should be optional.
Why not offer additional form classes or a mixin
for support such token?
Regards
Roger Ineichen
> Laurence
>
More information about the Zope-Dev
mailing list