summaryrefslogtreecommitdiff
path: root/docs/topics
diff options
context:
space:
mode:
Diffstat (limited to 'docs/topics')
-rw-r--r--docs/topics/auth/default.txt9
1 files changed, 9 insertions, 0 deletions
diff --git a/docs/topics/auth/default.txt b/docs/topics/auth/default.txt
index 9d70cedf9d..cc4a0daf12 100644
--- a/docs/topics/auth/default.txt
+++ b/docs/topics/auth/default.txt
@@ -1006,6 +1006,15 @@ implementation details see :ref:`using-the-views`.
authenticated users accessing the login page will be redirected as if
they had just successfully logged in. Defaults to ``False``.
+ .. warning::
+
+ If you enable ``redirect_authenticated_user``, other websites will be
+ able to determine if their visitors are authenticated on your site by
+ requesting redirect URLs to image files on your website. To avoid
+ this "`social media fingerprinting
+ <https://robinlinus.github.io/socialmedia-leak/>`_" information
+ leakage, host all images and your favicon on a separate domain.
+
* ``success_url_allowed_hosts``: A :class:`set` of hosts, in addition to
:meth:`request.get_host() <django.http.HttpRequest.get_host>`, that are
safe for redirecting after login. Defaults to an empty :class:`set`.