Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#22504 closed Bug (fixed)

Wrong terminology (TLD/SLD) in docs: /topics/security/

Reported by: chris@… Owned by: nobody
Component: Documentation Version: dev
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

/topics/security says about leveraging the same-origin policy:

One class of attacks can be prevented by always serving user uploaded content from a distinct Top Level Domain (TLD). This prevents any exploit blocked by same-origin policy protections such as cross site scripting. For example, if your site runs on example.com, you would want to serve uploaded content (the MEDIA_URL setting) from something like usercontent-example.com. It’s not sufficient to serve content from a subdomain like usercontent.example.com.

The term "Top Level Domain" is wrong and should be replaced by "second-level domain". In this example, the TLD is .com, but the example emphasizes the difference between "example.com" and "usercontent-example.com", which are different SLDs sharing the same TLD.

Attachments (2)

22504.diff (1.4 KB ) - added by chris@… 10 years ago.
Suggested wording.
22504.2.diff (1.2 KB ) - added by chris@… 10 years ago.
Suggested wording, update 1.

Download all attachments as: .zip

Change History (8)

by chris@…, 10 years ago

Attachment: 22504.diff added

Suggested wording.

comment:1 by chris@…, 10 years ago

Has patch: set

comment:2 by Sasha Romijn, 10 years ago

Patch needs improvement: set
Triage Stage: UnreviewedAccepted

This is definitely a mistake, and something we should improve. The only thing I'm not sure about is the specific suggestion to have the Django app on example.com, and the user content on example.net. Although this will certainly work, it's a lot less obvious. In most cases, users who own both example.net and example.com would redirect one to the other. So this feels more error-prone. Perhaps we should leave the examples as they are currently.

by chris@…, 10 years ago

Attachment: 22504.2.diff added

Suggested wording, update 1.

comment:3 by chris@…, 10 years ago

Patch needs improvement: unset

Agreed, updated. I left the option of serving from a different top-level domain in, but reverted the addition of an example for that.

comment:4 by Tim Graham <timograham@…>, 10 years ago

Resolution: fixed
Status: newclosed

In f65eb15ac6807e3a44846be3cccc9bfc3e4b72cb:

Fixed #22504 -- Corrected domain terminology in security guide.

Thanks chris at chrullrich.net.

comment:5 by Tim Graham <timograham@…>, 10 years ago

In c050ce7de2091f580bf85ab367d9c7f5cb26f44c:

[1.7.x] Fixed #22504 -- Corrected domain terminology in security guide.

Thanks chris at chrullrich.net.

Backport of f65eb15ac6 from master

comment:6 by Tim Graham <timograham@…>, 10 years ago

In e9c78435ab9cfd27d0815c244c9a1feb08cc18d1:

[1.6.x] Fixed #22504 -- Corrected domain terminology in security guide.

Thanks chris at chrullrich.net.

Backport of f65eb15ac6 from master

Note: See TracTickets for help on using tickets.
Back to Top