[Zope-PAS] SVN: Products.PluggableAuthService/trunk/ Add 'getCSRFToken' and 'checkCSRFToken' helpers + 'CSRFToken' view.

Tres Seaver tseaver at palladion.com
Fri Nov 16 17:55:32 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/15/2012 08:27 PM, Matthew Wilkes wrote:
> 
> 
> Tres Seaver wrote:
>> +<browser:page +      for="*" +      name="csrf_token" +
>> class=".utils.CSRFToken" +      permission="zope.Public" +      /> 
>> +
> 
> Is there any reason for making the user's CSRF token available on a
> URL?

The rationale is making it trivially available to the templates, via:

 <input type="hidden" name="csrf_token"
        tal:attributes="value context/@@csrf_token" />

This makes updating those non-view-managed templates vastly simpler than
any other spelling.  Given that the token is the same string which will
be embedded in plaintext in web forms anyway, obscuring it by hiding the
URL is kind of pointless.



Tres.
- -- 
===================================================================
Tres Seaver          +1 540-429-0999          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlCmfhQACgkQ+gerLs4ltQ4nbACgiaMoa4eI9rYPeu3z3OsxIUPK
WH4An2NIrAaVwmMrqSbCmU/riNgPmTEU
=olmx
-----END PGP SIGNATURE-----



More information about the Zope-PAS mailing list