Fixed #22504 -- Corrected domain terminology in security guide.

Thanks chris at chrullrich.net.
This commit is contained in:
Tim Graham 2014-04-25 10:27:13 -04:00
parent deb561bbe2
commit f65eb15ac6
1 changed files with 5 additions and 5 deletions

View File

@ -237,11 +237,11 @@ User-uploaded content
you can take to mitigate these attacks: you can take to mitigate these attacks:
1. One class of attacks can be prevented by always serving user uploaded 1. One class of attacks can be prevented by always serving user uploaded
content from a distinct Top Level Domain (TLD). This prevents any content from a distinct top-level or second-level domain. This prevents
exploit blocked by `same-origin policy`_ protections such as cross site any exploit blocked by `same-origin policy`_ protections such as cross
scripting. For example, if your site runs on ``example.com``, you would site scripting. For example, if your site runs on ``example.com``, you
want to serve uploaded content (the :setting:`MEDIA_URL` setting) from would want to serve uploaded content (the :setting:`MEDIA_URL` setting)
something like ``usercontent-example.com``. It's *not* sufficient to from something like ``usercontent-example.com``. It's *not* sufficient to
serve content from a subdomain like ``usercontent.example.com``. serve content from a subdomain like ``usercontent.example.com``.
2. Beyond this, applications may choose to define a whitelist of allowable 2. Beyond this, applications may choose to define a whitelist of allowable