On Wednesday, February 6, 2013 at 6:41 PM, Richard Jones wrote: > So the only real solution is the one you use, which is to set up the > unsafe content on a separate domain. Easy enough, even I can buy > domains ;-)
This is accurate (basically), at least if you want javascript to still be javascript and such. A completely separate domain only for user uploaded content that itself has no secure content (so no cookies to steal or anything). SSL is optional since it's a separate domain. (Suggested to at least have SSL be an option though).
_______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
