summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMarkus Holtermann <info@markusholtermann.eu>2016-10-15 20:32:19 +0200
committerTim Graham <timograham@gmail.com>2016-10-18 11:40:45 -0400
commitd3ca2907789c348bb132dfd112379df07db0cbbf (patch)
tree010ca2fb4933642e63da329d03f7fb372495ab0e
parent64e4adbfef343ce77ffcc9be219af69b65effcb3 (diff)
[1.10.x] Fixed #27352 -- Doc'd social media fingerprinting consideration with login's redirect_authenticated_user.
Backport of b5fc192b99ce92a7ccad08cca7b59b1a4e7ca230 from master
-rw-r--r--docs/spelling_wordlist1
-rw-r--r--docs/topics/auth/default.txt9
2 files changed, 10 insertions, 0 deletions
diff --git a/docs/spelling_wordlist b/docs/spelling_wordlist
index 6f076f5e33..826bc89693 100644
--- a/docs/spelling_wordlist
+++ b/docs/spelling_wordlist
@@ -253,6 +253,7 @@ fallback
fallbacks
faq
FastCGI
+favicon
fieldset
fieldsets
filename
diff --git a/docs/topics/auth/default.txt b/docs/topics/auth/default.txt
index 72507f6a17..2bb7883f75 100644
--- a/docs/topics/auth/default.txt
+++ b/docs/topics/auth/default.txt
@@ -999,6 +999,15 @@ implementation details see :ref:`using-the-views`.
authenticated users accessing the login page will be redirected as if
they had just successfully logged in. Defaults to ``False``.
+ .. warning::
+
+ If you enable ``redirect_authenticated_user``, other websites will be
+ able to determine if their visitors are authenticated on your site by
+ requesting redirect URLs to image files on your website. To avoid
+ this "`social media fingerprinting
+ <https://robinlinus.github.io/socialmedia-leak/>`_" information
+ leakage, host all images and your favicon on a separate domain.
+
.. deprecated:: 1.9
The ``current_app`` parameter is deprecated and will be removed in