diff options
| author | Tim Graham <timograham@gmail.com> | 2014-04-25 10:27:13 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2014-04-25 10:29:18 -0400 |
| commit | c050ce7de2091f580bf85ab367d9c7f5cb26f44c (patch) | |
| tree | 3dd338fe81804f65db89cc9a2fc04572ab896db8 /docs | |
| parent | bde1bc66724db34dcde598f064448da1f2a8a810 (diff) | |
[1.7.x] Fixed #22504 -- Corrected domain terminology in security guide.
Thanks chris at chrullrich.net.
Backport of f65eb15ac6 from master
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/topics/security.txt | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/docs/topics/security.txt b/docs/topics/security.txt index 5fd62eb694..b30d340b02 100644 --- a/docs/topics/security.txt +++ b/docs/topics/security.txt @@ -237,11 +237,11 @@ User-uploaded content you can take to mitigate these attacks: 1. One class of attacks can be prevented by always serving user uploaded - content from a distinct Top Level Domain (TLD). This prevents any - exploit blocked by `same-origin policy`_ protections such as cross site - scripting. For example, if your site runs on ``example.com``, you would - want to serve uploaded content (the :setting:`MEDIA_URL` setting) from - something like ``usercontent-example.com``. It's *not* sufficient to + content from a distinct top-level or second-level domain. This prevents + any exploit blocked by `same-origin policy`_ protections such as cross + site scripting. For example, if your site runs on ``example.com``, you + would want to serve uploaded content (the :setting:`MEDIA_URL` setting) + from something like ``usercontent-example.com``. It's *not* sufficient to serve content from a subdomain like ``usercontent.example.com``. 2. Beyond this, applications may choose to define a whitelist of allowable |
