From d3ca2907789c348bb132dfd112379df07db0cbbf Mon Sep 17 00:00:00 2001
From: Markus Holtermann <info@markusholtermann.eu>
Date: Sat, 15 Oct 2016 20:32:19 +0200
Subject: [PATCH] [1.10.x] Fixed #27352 -- Doc'd social media fingerprinting
 consideration with login's redirect_authenticated_user.

Backport of b5fc192b99ce92a7ccad08cca7b59b1a4e7ca230 from master
---
 docs/spelling_wordlist       | 1 +
 docs/topics/auth/default.txt | 9 +++++++++
 2 files changed, 10 insertions(+)

diff --git a/docs/spelling_wordlist b/docs/spelling_wordlist
index 6f076f5e33..826bc89693 100644
--- a/docs/spelling_wordlist
+++ b/docs/spelling_wordlist
@@ -253,6 +253,7 @@ fallback
 fallbacks
 faq
 FastCGI
+favicon
 fieldset
 fieldsets
 filename
diff --git a/docs/topics/auth/default.txt b/docs/topics/auth/default.txt
index 72507f6a17..2bb7883f75 100644
--- a/docs/topics/auth/default.txt
+++ b/docs/topics/auth/default.txt
@@ -999,6 +999,15 @@ implementation details see :ref:`using-the-views`.
       authenticated users accessing the login page will be redirected as if
       they had just successfully logged in. Defaults to ``False``.
 
+      .. warning::
+
+        If you enable ``redirect_authenticated_user``, other websites will be
+        able to determine if their visitors are authenticated on your site by
+        requesting redirect URLs to image files on your website. To avoid
+        this "`social media fingerprinting
+        <https://robinlinus.github.io/socialmedia-leak/>`_" information
+        leakage, host all images and your favicon on a separate domain.
+
     .. deprecated:: 1.9
 
         The ``current_app`` parameter is deprecated and will be removed in