[Zope-dev] CSRF protection for z3c.form

Roger dev at projekt01.ch
Wed Apr 6 13:43:15 EDT 2011


Hi Laurence

> Betreff: Re: [Zope-dev] CSRF protection for z3c.form
> 
> On 4 April 2011 19:16, Roger <dev at projekt01.ch> wrote:
> > Hi Shane
> >
> >> -----Ursprüngliche Nachricht-----
> >> Von: Shane Hathaway [mailto:shane at hathawaymix.org]
> >> Gesendet: Montag, 4. April 2011 19:54
> >> An: dev at projekt01.ch
> >> Cc: 'Laurence Rowe'; 'zope-dev'; stephan.richter at gmail.com
> >> Betreff: Re: [Zope-dev] CSRF protection for z3c.form
> >>
> >> On 04/04/2011 10:22 AM, Roger wrote:
> >> > Just because you can write login forms with z3c.form this
> >> package has
> >> > nothing to do with authentication. That's just a form framework!
> >> >
> >> > Authentication is defently not a part of our z3c.form 
> framework and 
> >> > should not become one.
> >> >
> >> > Why do you think authentication has something to do with
> >> the z3c.form
> >> > library? Did I miss something?
> >>
> >> This thread is using the word authenticate differently than most 
> >> other Zope-related discussions.  Here, we are authenticating the 
> >> *form*, not the user.  We need to be sure that submitted form data 
> >> was produced by an authentic form.
> >> Otherwise, a crafty site could cause the user's browser to invoke 
> >> some action in the background.
> >
> >
> > I know what you mean. As long as this is not implemented in 
> z3c.form 
> > I'm fine Because I don't belive in this kind of protection 
> since I did 
> > some very fancy stuff with easyxdm.
> 
> Roger,
> 
> Could you please describe in more detail why you don't 
> believe in this sort of protection? As far as I can see the 
> easyxdv messaging stuff requires supporting javascript to be 
> executed in the context of both documents, so modulo any 
> javascript injection vulnerabilities, it has no impact on the 
> efficacy of form authenticators.

I think to protect the form is just a part of a concept.
Another part must be to prevent to inject JavaScript in 
user generated content. If an application allows to post
JS in a blog post or comment etc. it should be possible to
use easydmx to read and re-use the secure form token.
(not approved but should work)

One of my bigger concern is also that such a token will
break a lot of our tests which whould force us to use
custom non security token generating form classes.

I'm fine in general for implement such a concept 
in z3c.form but it should be optional.
Why not offer additional form classes or a mixin
for support such token?

Regards
Roger Ineichen

> Laurence
> 



More information about the Zope-Dev mailing list