id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
27352	Warn about social media fingerprinting when using redirect_authenticated_user	Markus Holtermann	Markus Holtermann	"Public disclosure after talking with security team.

Django 1.10 introduced `redirect_authenticated_user` to the login views. A report I came across the other day (https://robinlinus.github.io/socialmedia-leak/) points out how that redirects on GET for authenticated users can potentially be used to gain the login state of a user for a site.

I believe we should warn users about that issue. Reverting 10781b4c6ff981f581157957d221e7621e0bf4ed (#12233) doesn't seem necessary to me. It is a useful feature if you know you don't serve image files from those domains."	Cleanup/optimization	closed	Documentation	1.10	Normal	fixed			Ready for checkin	1	0	0	0	0	0