mirror of
				https://github.com/django/django.git
				synced 2025-10-26 15:16:09 +00:00 
			
		
		
		
	[1.7.x] Fixed #22504 -- Corrected domain terminology in security guide.
Thanks chris at chrullrich.net.
Backport of f65eb15ac6 from master
			
			
This commit is contained in:
		| @@ -237,11 +237,11 @@ User-uploaded content | |||||||
|   you can take to mitigate these attacks: |   you can take to mitigate these attacks: | ||||||
|  |  | ||||||
|   1. One class of attacks can be prevented by always serving user uploaded |   1. One class of attacks can be prevented by always serving user uploaded | ||||||
|      content from a distinct Top Level Domain (TLD). This prevents any |      content from a distinct top-level or second-level domain. This prevents | ||||||
|      exploit blocked by `same-origin policy`_ protections such as cross site |      any exploit blocked by `same-origin policy`_ protections such as cross | ||||||
|      scripting. For example, if your site runs on ``example.com``, you would |      site scripting. For example, if your site runs on ``example.com``, you | ||||||
|      want to serve uploaded content (the :setting:`MEDIA_URL` setting) from |      would want to serve uploaded content (the :setting:`MEDIA_URL` setting) | ||||||
|      something like ``usercontent-example.com``. It's *not* sufficient to |      from something like ``usercontent-example.com``. It's *not* sufficient to | ||||||
|      serve content from a subdomain like ``usercontent.example.com``. |      serve content from a subdomain like ``usercontent.example.com``. | ||||||
|  |  | ||||||
|   2. Beyond this, applications may choose to define a whitelist of allowable |   2. Beyond this, applications may choose to define a whitelist of allowable | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user