[Framework-Team] PLIP 224: CSRF protection framework
Raphael Ritz
raphael.ritz at incf.org
Thu Jan 31 21:29:32 UTC 2008
Wichert Akkerman wrote:
> Previously Raphael Ritz wrote:
>
>> There is one question I have already now: Who feels responsible
>> for updating the forms that ship with Plone/AT to make use of
>> this? (or am I missing something?) And don't get me wrong:
>> I have no problem shipping it even without using it right away
>> just to make it readily available.
>>
>
> A few quick comments:
>
> It is only important for the forms that are security sensitive.
Of course
> That
> comes down to personalize_form,
Yup
> the control panel forms
which are a few
> and the sharing
> form.
and don't forget that there are some that we ship without
offering them in the default UI like the ownership_form
> Perhaps a few others, but I think that list is quite complete
> already.
>
> Alex suggested the other day that AT itself could use this as well;
> considering how simple it is to use that should indeed be doable with a
> few small changes in base_edit.pt and processForm.
I agree that with these two we should be quite safe already.
Where I am lacking some overview and understanding at
the moment are the things KSS uses.
> Personally I'm not
> convinced we need to do this everywhere, but since the performance
> effect should be very small it won't hurt either.
>
>
Either way I can think of no reason at the moment to
not include this as soon as possible.
Raphael
> Wichert.
>
>
>
More information about the Framework-Team
mailing list