summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTim Graham <timograham@gmail.com>2014-04-25 10:27:13 -0400
committerTim Graham <timograham@gmail.com>2014-04-25 10:27:13 -0400
commitf65eb15ac6807e3a44846be3cccc9bfc3e4b72cb (patch)
tree3fbb2abcdd92caef85bd1cde5a4b717d7dfc2c00
parentdeb561bbe2dbacac32d65272beab3a7708e2c31d (diff)
Fixed #22504 -- Corrected domain terminology in security guide.
Thanks chris at chrullrich.net.
-rw-r--r--docs/topics/security.txt10
1 files changed, 5 insertions, 5 deletions
diff --git a/docs/topics/security.txt b/docs/topics/security.txt
index f1d987b3c4..3fe20a3cc3 100644
--- a/docs/topics/security.txt
+++ b/docs/topics/security.txt
@@ -237,11 +237,11 @@ User-uploaded content
you can take to mitigate these attacks:
1. One class of attacks can be prevented by always serving user uploaded
- content from a distinct Top Level Domain (TLD). This prevents any
- exploit blocked by `same-origin policy`_ protections such as cross site
- scripting. For example, if your site runs on ``example.com``, you would
- want to serve uploaded content (the :setting:`MEDIA_URL` setting) from
- something like ``usercontent-example.com``. It's *not* sufficient to
+ content from a distinct top-level or second-level domain. This prevents
+ any exploit blocked by `same-origin policy`_ protections such as cross
+ site scripting. For example, if your site runs on ``example.com``, you
+ would want to serve uploaded content (the :setting:`MEDIA_URL` setting)
+ from something like ``usercontent-example.com``. It's *not* sufficient to
serve content from a subdomain like ``usercontent.example.com``.
2. Beyond this, applications may choose to define a whitelist of allowable