1
0
mirror of https://github.com/django/django.git synced 2024-12-22 17:16:24 +00:00

Fixed #27352 -- Doc'd social media fingerprinting consideration with login's redirect_authenticated_user.

This commit is contained in:
Markus Holtermann 2016-10-15 20:32:19 +02:00 committed by Tim Graham
parent 2327fad54e
commit b5fc192b99
2 changed files with 10 additions and 0 deletions

View File

@ -253,6 +253,7 @@ fallback
fallbacks
faq
FastCGI
favicon
fieldset
fieldsets
filename

View File

@ -1006,6 +1006,15 @@ implementation details see :ref:`using-the-views`.
authenticated users accessing the login page will be redirected as if
they had just successfully logged in. Defaults to ``False``.
.. warning::
If you enable ``redirect_authenticated_user``, other websites will be
able to determine if their visitors are authenticated on your site by
requesting redirect URLs to image files on your website. To avoid
this "`social media fingerprinting
<https://robinlinus.github.io/socialmedia-leak/>`_" information
leakage, host all images and your favicon on a separate domain.
* ``success_url_allowed_hosts``: A :class:`set` of hosts, in addition to
:meth:`request.get_host() <django.http.HttpRequest.get_host>`, that are
safe for redirecting after login. Defaults to an empty :class:`set`.