[1.6.x] Fixed #22504 -- Corrected domain terminology in security guide.
Thanks chris at chrullrich.net.
Backport of f65eb15ac6
from master
This commit is contained in:
parent
2b0e9aa57d
commit
e9c78435ab
|
@ -237,11 +237,11 @@ User-uploaded content
|
||||||
you can take to mitigate these attacks:
|
you can take to mitigate these attacks:
|
||||||
|
|
||||||
1. One class of attacks can be prevented by always serving user uploaded
|
1. One class of attacks can be prevented by always serving user uploaded
|
||||||
content from a distinct Top Level Domain (TLD). This prevents any
|
content from a distinct top-level or second-level domain. This prevents
|
||||||
exploit blocked by `same-origin policy`_ protections such as cross site
|
any exploit blocked by `same-origin policy`_ protections such as cross
|
||||||
scripting. For example, if your site runs on ``example.com``, you would
|
site scripting. For example, if your site runs on ``example.com``, you
|
||||||
want to serve uploaded content (the :setting:`MEDIA_URL` setting) from
|
would want to serve uploaded content (the :setting:`MEDIA_URL` setting)
|
||||||
something like ``usercontent-example.com``. It's *not* sufficient to
|
from something like ``usercontent-example.com``. It's *not* sufficient to
|
||||||
serve content from a subdomain like ``usercontent.example.com``.
|
serve content from a subdomain like ``usercontent.example.com``.
|
||||||
|
|
||||||
2. Beyond this, applications may choose to define a whitelist of allowable
|
2. Beyond this, applications may choose to define a whitelist of allowable
|
||||||
|
|
Loading…
Reference in New Issue