[Framework-Team] PLIP 224: CSRF protection framework

Wichert Akkerman wichert at wiggy.net
Thu Jan 31 18:15:12 UTC 2008


See http://plone.org/products/plone/roadmap/224 for details.

I absolutely hate to do this since it violates our process and we
already have a large number of PLIPs waiting for review, but I am
proposing this PLIP for Plone 3.1.

The reason I am willing to do this is that it improves the security of
Plone: it adds protection against the unfortunately quite common CSRF
type of attacks. The implementation is based on a long debate we
had in the security team recently as a result of a discussion with
a security researcher contacting us about possible Plone security issues.

At this moment I do not have a review bundle ready; I'm hoping that
someone will beat me to it since I have very little time to work on it.

Wichert.

-- 
Wichert Akkerman <wichert at wiggy.net>    It is simple to make things.
http://www.wiggy.net/                   It is hard to make things simple.




More information about the Framework-Team mailing list