Ticket #22504: 22504.2.diff

File 22504.2.diff, 1.2 KB (added by chris@…, 11 years ago)

Suggested wording, update 1.

  • docs/topics/security.txt

    diff --git a/docs/topics/security.txt b/docs/topics/security.txt
    index aaee7d8..44ce33f 100644
    a b User-uploaded content  
    236236  you can take to mitigate these attacks:
    237237
    238238  1. One class of attacks can be prevented by always serving user uploaded
    239      content from a distinct Top Level Domain (TLD). This prevents any
    240      exploit blocked by `same-origin policy`_ protections such as cross site
    241      scripting. For example, if your site runs on ``example.com``, you would
    242      want to serve uploaded content (the :setting:`MEDIA_URL` setting) from
    243      something like ``usercontent-example.com``. It's *not* sufficient to
     239     content from a distinct top-level or second-level domain. This prevents
     240     any exploit blocked by `same-origin policy`_ protections such as cross
     241     site scripting. For example, if your site runs on ``example.com``, you
     242     would want to serve uploaded content (the :setting:`MEDIA_URL` setting)
     243     from something like ``usercontent-example.com``. It's *not* sufficient to
    244244     serve content from a subdomain like ``usercontent.example.com``.
    245245
    246246  2. Beyond this, applications may choose to define a whitelist of allowable
Back to Top