CSRF protection tests ===================== Some background & an example attack ----------------------------------- The following are integration tests trying to make sure the CSRF protection in Plone 3.1 actually works. Plone 3.1 comes with the packages implemented for `PLIP 224: CSRF protection framework `_, so they already should have been set up. This can be checked indirectly by making sure the authenticator view exists: >>> portal.restrictedTraverse('@@authenticator') The same can be checked again from a testbrowser: >>> from plone.testing.z2 import Browser >>> browser = Browser(app) >>> browser.open('http://nohost/plone/@@authenticator') >>> browser.contents '' So far, so good, but the important bit about this is that it should protect Plone from CSRF attacks, so we try to test that. A CSRF attack works by having an already logged in portal member, preferably with administrator rights, browse a web page of another (or even the same) site and trick them into making a malicious request by clicking a link or submitting a form using their credentials. The typical attack would use an invisible `