-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/15/2012 08:27 PM, Matthew Wilkes wrote: > > > Tres Seaver wrote: >> +<browser:page + for="*" + name="csrf_token" + >> class=".utils.CSRFToken" + permission="zope.Public" + /> >> + > > Is there any reason for making the user's CSRF token available on a > URL?
The rationale is making it trivially available to the templates, via: <input type="hidden" name="csrf_token" tal:attributes="value context/@@csrf_token" /> This makes updating those non-view-managed templates vastly simpler than any other spelling. Given that the token is the same string which will be embedded in plaintext in web forms anyway, obscuring it by hiding the URL is kind of pointless. Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCmfhQACgkQ+gerLs4ltQ4nbACgiaMoa4eI9rYPeu3z3OsxIUPK WH4An2NIrAaVwmMrqSbCmU/riNgPmTEU =olmx -----END PGP SIGNATURE----- _______________________________________________ Zope-PAS mailing list Zope-PAS@zope.org https://mail.zope.org/mailman/listinfo/zope-pas