p15693087
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fixed #27352 -- Doc'd social media fingerprinting consideration with login's redirect_authenticated_user.

This commit is contained in:
Markus Holtermann 2016-10-15 20:32:19 +02:00 committed by Tim Graham
parent 2327fad54e
commit b5fc192b99
2 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
docs/spelling_wordlist
View File

@ -253,6 +253,7 @@ fallback
fallbacks fallbacks
faq faq
FastCGI FastCGI
favicon
fieldset fieldset
fieldsets fieldsets
filename filename

9
docs/topics/auth/default.txt
View File

@ -1006,6 +1006,15 @@ implementation details see :ref:`using-the-views`.
authenticated users accessing the login page will be redirected as if authenticated users accessing the login page will be redirected as if
they had just successfully logged in. Defaults to ``False``. they had just successfully logged in. Defaults to ``False``.
.. warning::
If you enable ``redirect_authenticated_user``, other websites will be
able to determine if their visitors are authenticated on your site by
requesting redirect URLs to image files on your website. To avoid
this "`social media fingerprinting
<https://robinlinus.github.io/socialmedia-leak/>`_" information
leakage, host all images and your favicon on a separate domain.
* ``success_url_allowed_hosts``: A :class:`set` of hosts, in addition to * ``success_url_allowed_hosts``: A :class:`set` of hosts, in addition to
:meth:`request.get_host() <django.http.HttpRequest.get_host>`, that are :meth:`request.get_host() <django.http.HttpRequest.get_host>`, that are
safe for redirecting after login. Defaults to an empty :class:`set`. safe for redirecting after login. Defaults to an empty :class:`set`.