Fixed #27352 -- Doc'd social media fingerprinting consideration with login's redirect_authenticated_user.

author: Markus Holtermann <info@markusholtermann.eu> 2016-10-15 20:32:19 +0200
committer: Tim Graham <timograham@gmail.com> 2016-10-18 11:37:56 -0400
commit: b5fc192b99ce92a7ccad08cca7b59b1a4e7ca230 (patch)
tree: 54a08bb2beea012d4cc971b2be53ec46be100ca2 /docs/topics
parent: 2327fad54e334119f2561ddddf52e5af4bb14d41 (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/docs/topics/auth/default.txt b/docs/topics/auth/default.txt
index 9d70cedf9d..cc4a0daf12 100644
--- a/docs/topics/auth/default.txt
+++ b/docs/topics/auth/default.txt
@@ -1006,6 +1006,15 @@ implementation details see :ref:`using-the-views`.
       authenticated users accessing the login page will be redirected as if
       they had just successfully logged in. Defaults to ``False``.
 
+      .. warning::
+
+        If you enable ``redirect_authenticated_user``, other websites will be
+        able to determine if their visitors are authenticated on your site by
+        requesting redirect URLs to image files on your website. To avoid
+        this "`social media fingerprinting
+        <https://robinlinus.github.io/socialmedia-leak/>`_" information
+        leakage, host all images and your favicon on a separate domain.
+
     * ``success_url_allowed_hosts``: A :class:`set` of hosts, in addition to
       :meth:`request.get_host() <django.http.HttpRequest.get_host>`, that are
       safe for redirecting after login. Defaults to an empty :class:`set`.
author	Markus Holtermann <info@markusholtermann.eu>	2016-10-15 20:32:19 +0200
committer	Tim Graham <timograham@gmail.com>	2016-10-18 11:37:56 -0400
commit	b5fc192b99ce92a7ccad08cca7b59b1a4e7ca230 (patch)
tree	54a08bb2beea012d4cc971b2be53ec46be100ca2 /docs/topics
parent	2327fad54e334119f2561ddddf52e5af4bb14d41 (diff)