Hi Laurence > Betreff: Re: [Zope-dev] CSRF protection for z3c.form > > On 4 April 2011 19:16, Roger <[email protected]> wrote: > > Hi Shane > > > >> -----Ursprüngliche Nachricht----- > >> Von: Shane Hathaway [mailto:[email protected]] > >> Gesendet: Montag, 4. April 2011 19:54 > >> An: [email protected] > >> Cc: 'Laurence Rowe'; 'zope-dev'; [email protected] > >> Betreff: Re: [Zope-dev] CSRF protection for z3c.form > >> > >> On 04/04/2011 10:22 AM, Roger wrote: > >> > Just because you can write login forms with z3c.form this > >> package has > >> > nothing to do with authentication. That's just a form framework! > >> > > >> > Authentication is defently not a part of our z3c.form > framework and > >> > should not become one. > >> > > >> > Why do you think authentication has something to do with > >> the z3c.form > >> > library? Did I miss something? > >> > >> This thread is using the word authenticate differently than most > >> other Zope-related discussions. Here, we are authenticating the > >> *form*, not the user. We need to be sure that submitted form data > >> was produced by an authentic form. > >> Otherwise, a crafty site could cause the user's browser to invoke > >> some action in the background. > > > > > > I know what you mean. As long as this is not implemented in > z3c.form > > I'm fine Because I don't belive in this kind of protection > since I did > > some very fancy stuff with easyxdm. > > Roger, > > Could you please describe in more detail why you don't > believe in this sort of protection? As far as I can see the > easyxdv messaging stuff requires supporting javascript to be > executed in the context of both documents, so modulo any > javascript injection vulnerabilities, it has no impact on the > efficacy of form authenticators.
I think to protect the form is just a part of a concept. Another part must be to prevent to inject JavaScript in user generated content. If an application allows to post JS in a blog post or comment etc. it should be possible to use easydmx to read and re-use the secure form token. (not approved but should work) One of my bigger concern is also that such a token will break a lot of our tests which whould force us to use custom non security token generating form classes. I'm fine in general for implement such a concept in z3c.form but it should be optional. Why not offer additional form classes or a mixin for support such token? Regards Roger Ineichen > Laurence > _______________________________________________ Zope-Dev maillist - [email protected] https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
