The security.alternate-file-domain config item has a scary warning, but otherwise the item's description doesn't say much. Perhaps the description could be elaborated or be more specific?
These questions are left unanswered in the description:
- What kind of vulnerabilities are left open when files are served from the same domain? Is this Phabricator specific?
- If an install is really "NOT SECURE" without an alternate file domain, how come this is not a setup issue like other important settings? I guess the answer is T2380, but how come you don't have a separate files domain for secure.phabricator.com?
- The last sentence in the current description says "Ideally, you should use a completely separate domain name rather than just a different subdomain". Does this mean that a different subdomain is better than nothing?