mirror of
https://github.com/django/django.git
synced 2024-12-22 17:16:24 +00:00
Fixed #27352 -- Doc'd social media fingerprinting consideration with login's redirect_authenticated_user.
This commit is contained in:
parent
2327fad54e
commit
b5fc192b99
@ -253,6 +253,7 @@ fallback
|
||||
fallbacks
|
||||
faq
|
||||
FastCGI
|
||||
favicon
|
||||
fieldset
|
||||
fieldsets
|
||||
filename
|
||||
|
@ -1006,6 +1006,15 @@ implementation details see :ref:`using-the-views`.
|
||||
authenticated users accessing the login page will be redirected as if
|
||||
they had just successfully logged in. Defaults to ``False``.
|
||||
|
||||
.. warning::
|
||||
|
||||
If you enable ``redirect_authenticated_user``, other websites will be
|
||||
able to determine if their visitors are authenticated on your site by
|
||||
requesting redirect URLs to image files on your website. To avoid
|
||||
this "`social media fingerprinting
|
||||
<https://robinlinus.github.io/socialmedia-leak/>`_" information
|
||||
leakage, host all images and your favicon on a separate domain.
|
||||
|
||||
* ``success_url_allowed_hosts``: A :class:`set` of hosts, in addition to
|
||||
:meth:`request.get_host() <django.http.HttpRequest.get_host>`, that are
|
||||
safe for redirecting after login. Defaults to an empty :class:`set`.
|
||||
|
Loading…
Reference in New Issue
Block a user