diff options
| author | Markus Holtermann <info@markusholtermann.eu> | 2016-10-15 20:32:19 +0200 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2016-10-18 11:37:56 -0400 |
| commit | b5fc192b99ce92a7ccad08cca7b59b1a4e7ca230 (patch) | |
| tree | 54a08bb2beea012d4cc971b2be53ec46be100ca2 | |
| parent | 2327fad54e334119f2561ddddf52e5af4bb14d41 (diff) | |
Fixed #27352 -- Doc'd social media fingerprinting consideration with login's redirect_authenticated_user.
| -rw-r--r-- | docs/spelling_wordlist | 1 | ||||
| -rw-r--r-- | docs/topics/auth/default.txt | 9 |
2 files changed, 10 insertions, 0 deletions
diff --git a/docs/spelling_wordlist b/docs/spelling_wordlist index d905196950..8218fe0219 100644 --- a/docs/spelling_wordlist +++ b/docs/spelling_wordlist @@ -253,6 +253,7 @@ fallback fallbacks faq FastCGI +favicon fieldset fieldsets filename diff --git a/docs/topics/auth/default.txt b/docs/topics/auth/default.txt index 9d70cedf9d..cc4a0daf12 100644 --- a/docs/topics/auth/default.txt +++ b/docs/topics/auth/default.txt @@ -1006,6 +1006,15 @@ implementation details see :ref:`using-the-views`. authenticated users accessing the login page will be redirected as if they had just successfully logged in. Defaults to ``False``. + .. warning:: + + If you enable ``redirect_authenticated_user``, other websites will be + able to determine if their visitors are authenticated on your site by + requesting redirect URLs to image files on your website. To avoid + this "`social media fingerprinting + <https://robinlinus.github.io/socialmedia-leak/>`_" information + leakage, host all images and your favicon on a separate domain. + * ``success_url_allowed_hosts``: A :class:`set` of hosts, in addition to :meth:`request.get_host() <django.http.HttpRequest.get_host>`, that are safe for redirecting after login. Defaults to an empty :class:`set`. |