[Django] #22504: Wrong terminology (TLD/SLD) in docs: /topics/security/
Django
-------------------------------+--------------------
Reporter: chris@… | Owner: nobody
Type: Bug | Status: new
Component: Documentation | Version: master
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------+--------------------
/topics/security says about leveraging the same-origin policy:
One class of attacks can be prevented by always serving user uploaded
content from a distinct Top Level Domain (TLD). This prevents any exploit
blocked by same-origin policy protections such as cross site scripting.
For example, if your site runs on example.com, you would want to serve
uploaded content (the MEDIA_URL setting) from something like usercontent-
example.com. It’s not sufficient to serve content from a subdomain like
usercontent.example.com.
The term "Top Level Domain" is wrong and should be replaced by "second-
level domain". In this example, the TLD is .com, but the example
emphasizes the difference between "example.com" and "usercontent-
example.com", which are different SLDs sharing the same TLD.
--
Ticket URL: <https://code.djangoproject.com/ticket/22504>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: chris@… | Owner: nobody
Type: Bug | Status: new
Component: Documentation | Version: master
Keywords: | Triage Stage: Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
Changes (by chris@…):
* needs_better_patch: => 0
* has_patch: 0 => 1
* needs_tests: => 0
* needs_docs: => 0
--
Ticket URL: <https://code.djangoproject.com/ticket/22504#comment:1>
Django
Reporter: chris@… | Owner: nobody
Type: Bug | Status: new
Component: Documentation | Version: master
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 1 | UI/UX: 0
Changes (by erikr):
* needs_better_patch: 0 => 1
* stage: Unreviewed => Accepted
Comment:
This is definitely a mistake, and something we should improve. The only
thing I'm not sure about is the specific suggestion to have the Django app
on example.com, and the user content on example.net. Although this will
certainly work, it's a lot less obvious. In most cases, users who own both
example.net and example.com would redirect one to the other. So this feels
more error-prone. Perhaps we should leave the examples as they are
currently.
--
Ticket URL: <https://code.djangoproject.com/ticket/22504#comment:2>
Django
Reporter: chris@… | Owner: nobody
Type: Bug | Status: new
Component: Documentation | Version: master
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 1 | UI/UX: 0
Changes (by chris@…):
* needs_better_patch: 1 => 0
Comment:
Agreed, updated. I left the option of serving from a different top-level
domain in, but reverted the addition of an example for that.
--
Ticket URL: <https://code.djangoproject.com/ticket/22504#comment:3>
Django
Reporter: chris@… | Owner: nobody
Type: Bug | Status: closed
Component: Documentation | Version: master
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 1 | UI/UX: 0
Changes (by Tim Graham <timograham@…>):
* status: new => closed
* resolution: => fixed
Comment:
In [changeset:"f65eb15ac6807e3a44846be3cccc9bfc3e4b72cb"]:
{{{
#!CommitTicketReference repository=""
revision="f65eb15ac6807e3a44846be3cccc9bfc3e4b72cb"
Fixed #22504 -- Corrected domain terminology in security guide.
Thanks chris at chrullrich.net.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/22504#comment:4>
Django
Reporter: chris@… | Owner: nobody
Type: Bug | Status: closed
Component: Documentation | Version: master
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 1 | UI/UX: 0
Comment (by Tim Graham <timograham@…>):
In [changeset:"c050ce7de2091f580bf85ab367d9c7f5cb26f44c"]:
{{{
#!CommitTicketReference repository=""
revision="c050ce7de2091f580bf85ab367d9c7f5cb26f44c"
[1.7.x] Fixed #22504 -- Corrected domain terminology in security guide.
Thanks chris at chrullrich.net.
Backport of f65eb15ac6 from master
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/22504#comment:5>
Django
Reporter: chris@… | Owner: nobody
Type: Bug | Status: closed
Component: Documentation | Version: master
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 1 | UI/UX: 0
Comment (by Tim Graham <timograham@…>):
In [changeset:"e9c78435ab9cfd27d0815c244c9a1feb08cc18d1"]:
{{{
#!CommitTicketReference repository=""
revision="e9c78435ab9cfd27d0815c244c9a1feb08cc18d1"
[1.6.x] Fixed #22504 -- Corrected domain terminology in security guide.
Thanks chris at chrullrich.net.
Backport of f65eb15ac6 from master
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/22504#comment:6>