#27352: Warn about social media fingerprinting when using
redirect_authenticated_user
-------------------------------------+-------------------------------------
               Reporter:  Markus     |          Owner:  Markus Holtermann
  Holtermann                         |
                   Type:             |         Status:  assigned
  Cleanup/optimization               |
              Component:             |        Version:  1.10
  Documentation                      |
               Severity:  Normal     |       Keywords:
           Triage Stage:             |      Has patch:  0
  Unreviewed                         |
    Needs documentation:  1          |    Needs tests:  0
Patch needs improvement:  0          |  Easy pickings:  0
                  UI/UX:  0          |
-------------------------------------+-------------------------------------
 Public disclosure after talking with security team.

 Django 1.10 introduced `redirect_authenticated_user` to the login views. A
 report I came across the other day (https://robinlinus.github.io
 /socialmedia-leak/) points out how that redirects on GET for authenticated
 users can potentially be used to gain the login state of a user for a
 site.

 I believe we should warn users about that issue. Reverting
 10781b4c6ff981f581157957d221e7621e0bf4ed (#12233) doesn't seem necessary
 to me. It is a useful feature if you know you don't serve image files from
 those domains.

--
Ticket URL: <https://code.djangoproject.com/ticket/27352>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/050.5caa3827b39585640b2de8a07a6544c5%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to