Comment 1 for bug 805794

Adding generic CSRF support to z3c.form has been discussed on the mailing list. At this point you need to take care of it manually in your own forms. The form framework doesn't promise you any protection, so it's a missing feature but not a bug from our perspective.

At some point the form framework might offer integrated support for it. You can read up on the discussion at https://mail.zope.org/pipermail/zope-dev/2011-April/042760.html