Fixed #27352 -- Doc'd social media fingerprinting consideration with login's redirect_authenticated_user.

2016-10-15 20:32:19 +02:00 · 2016-10-15 20:32:19 +02:00 · b5fc192b99
parent 2327fad54e
commit b5fc192b99
2 changed files with 10 additions and 0 deletions
--- a/docs/spelling_wordlist
+++ b/docs/spelling_wordlist
@ -253,6 +253,7 @@ fallback
 fallbacks
 faq
 FastCGI
+favicon
 fieldset
 fieldsets
 filename
--- a/docs/topics/auth/default.txt
+++ b/docs/topics/auth/default.txt
@ -1006,6 +1006,15 @@ implementation details see :ref:`using-the-views`.
      authenticated users accessing the login page will be redirected as if
      they had just successfully logged in. Defaults to ``False``.

+      .. warning::
+
+        If you enable ``redirect_authenticated_user``, other websites will be
+        able to determine if their visitors are authenticated on your site by
+        requesting redirect URLs to image files on your website. To avoid
+        this "`social media fingerprinting
+        <https://robinlinus.github.io/socialmedia-leak/>`_" information
+        leakage, host all images and your favicon on a separate domain.
+
    * ``success_url_allowed_hosts``: A :class:`set` of hosts, in addition to
      :meth:`request.get_host() <django.http.HttpRequest.get_host>`, that are
      safe for redirecting after login. Defaults to an empty :class:`set`.