<div dir="ltr">Hi Jan-Wij,<div><br></div><div>+1 for implementing convenient CSRF.</div><div><br></div><div>I wonder if you could make your implementation more orthogonal by implementing a CSRF "field/widget", and make your `protected` attribute simply trigger the inclusion of this field implicitly.</div>
<div><br></div><div>This way you wouldn't need to change the `*<a href="http://pageform.pt">pageform.pt</a>` templates like you do now, and `setupToken()`/`checkToken()` would move to the widget code.</div><div><br></div>
<div>Cheers,</div><div><br></div><div>Leo</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Sep 18, 2013 at 11:41 AM, Jan-Wijbrand Kolman <span dir="ltr"><<a href="mailto:janwijbrand@gmail.com" target="_blank">janwijbrand@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
I've been working on CSRF protection for zope.formlib.<br>
<br>
I have a "csrfprotection" branch in my zope.formlib fork on github. The changes against the current zope.formlib mainline can be found here:<br>
<br>
<a href="https://github.com/janwijbrand/zope.formlib/compare/csrfprotection" target="_blank">https://github.com/<u></u>janwijbrand/zope.formlib/<u></u>compare/csrfprotection</a><br>
<br>
When creating form components based on zope.formlib.form.FormBase, one can enable this protection just by setting the attribute ``protected`` to True on the component.<br>
<br>
This implementation is based on the following assumptions:<br>
<br>
* We do not want to keep server-side state(!)<br>
<br>
* An "attacker" that attempts CSRF cannot get to information stored in cookies that are meant for the domain of the (forged) request.<br>
<br>
* The token stored in the cookie is sufficiently random and long, to be practically "unguessable" by the attacker.<br>
<br>
* The form submit is deemed valid as long as the token in the cookie is identical to a hidden input value that is part of the form submit.<br>
<br>
My questions:<br>
<br>
* Do you find this feature useful enough to be, in principle, included in zope.formlib?<br>
<br>
* I'd like to kindly request someone to review my branch and provide feedback.<br>
<br>
The included test cases describe a few more questions and concerns about this implementation.<br>
<br>
Thank you in advance!<br>
<br>
kind regards, jw<br>
<br>
______________________________<u></u>_________________<br>
Zope-Dev maillist - <a href="mailto:Zope-Dev@zope.org" target="_blank">Zope-Dev@zope.org</a><br>
<a href="https://mail.zope.org/mailman/listinfo/zope-dev" target="_blank">https://mail.zope.org/mailman/<u></u>listinfo/zope-dev</a><br>
** No cross posts or HTML encoding! **<br>
(Related lists -<br>
<a href="https://mail.zope.org/mailman/listinfo/zope-announce" target="_blank">https://mail.zope.org/mailman/<u></u>listinfo/zope-announce</a><br>
<a href="https://mail.zope.org/mailman/listinfo/zope" target="_blank">https://mail.zope.org/mailman/<u></u>listinfo/zope</a> )<br>
</blockquote></div><br></div>