[Zope-dev] CSRF protection for z3c.form

Laurence Rowe l at lrowe.co.uk
Tue Apr 5 08:17:38 EDT 2011


On 4 April 2011 19:16, Roger <dev at projekt01.ch> wrote:
> Hi Shane
>
>> -----Ursprüngliche Nachricht-----
>> Von: Shane Hathaway [mailto:shane at hathawaymix.org]
>> Gesendet: Montag, 4. April 2011 19:54
>> An: dev at projekt01.ch
>> Cc: 'Laurence Rowe'; 'zope-dev'; stephan.richter at gmail.com
>> Betreff: Re: [Zope-dev] CSRF protection for z3c.form
>>
>> On 04/04/2011 10:22 AM, Roger wrote:
>> > Just because you can write login forms with z3c.form this
>> package has
>> > nothing to do with authentication. That's just a form framework!
>> >
>> > Authentication is defently not a part
>> > of our z3c.form framework and should not become one.
>> >
>> > Why do you think authentication has something to do with
>> the z3c.form
>> > library? Did I miss something?
>>
>> This thread is using the word authenticate differently than
>> most other Zope-related discussions.  Here, we are
>> authenticating the *form*, not the user.  We need to be sure
>> that submitted form data was produced by an authentic form.
>> Otherwise, a crafty site could cause the user's browser to
>> invoke some action in the background.
>
>
> I know what you mean. As long as this is not implemented
> in z3c.form I'm fine Because I don't belive in this
> kind of protection since I did some very fancy stuff
> with easyxdm.

Roger,

Could you please describe in more detail why you don't believe in this
sort of protection? As far as I can see the easyxdv messaging stuff
requires supporting javascript to be executed in the context of both
documents, so modulo any javascript injection vulnerabilities, it has
no impact on the efficacy of form authenticators.

Laurence


More information about the Zope-Dev mailing list