Just my two cents worth, but I think something like this is such a 'per case basis', that it probably shouldn't be included in the core.
Unless you can guarantee that all web application servers/load balancers are going to correctly handle the header out of the box (i.e. inject/strip where necessary), then there's no way this could be "securely" introduced. The reason I say per case basis, is because we've had to implement this same middleware ourselves into multiple clients, all of which had to be slightly different due to the handling of the SSL header at the load balancer. Cal On Mon, Sep 26, 2011 at 1:02 PM, Luke Plant <[email protected]> wrote: > On 26/09/11 12:45, Tom Evans wrote: > > On Sat, Sep 24, 2011 at 9:28 PM, Luke Plant <[email protected]> > wrote: > >> > >> I'm happy to be proved wrong, of course. Apache is very popular, though, > >> so if its hard in Apache, it could be said to be hard full stop. > >> > > > > RequestHeader unset X-Forwarded-Protocol > > > > Not precisely what I'd call hard. > > I am indeed happy to have been proved wrong :-) ... if slightly > embarrassed... > > I suppose we should check that this definitely works in conjunction with > mod_proxy and whichever module it is that sets X-Forwarded-Protocol/Ssl. > > > I suppose it is analogous to DB routers. Django doesn't provide > > routers to handle the common ways to scale a database, but they are > > simple enough to write for your specific setup. There is a simple way > > to add your own fixups to requests, and it works, so we don't need to > > burden the core or contrib with it. > > Given the security problems of getting HttpRequest.is_secure() wrong > either way, and the common solution to this particular problem, I think > it is better to have support in the core for this. > > Luke > > -- > "I regret I wasn't born with opposable toes." (Calvin and Hobbes) > > Luke Plant || http://lukeplant.me.uk/ > > -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/django-developers?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
