#19992: Put protection against unsafe redirects into `HttpResponseRedirectBase`
-------------------------------+--------------------
Reporter: coolRR | Owner: nobody
Type: New feature | Status: new
Component: HTTP handling | Version: master
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------
Here's something I have in my app that I think other users in Django might
find beneficial.
In many circumstances you want to redirect a user inside your site to a
dynamic URL. You usually have protection in that case against redirecting
out of your site, like in here:
https://github.com/django/django/blob/d9330d5be2ee60b208dcab2616eb164ea2e6bf36/django/contrib/auth/decorators.py#L30-L36
I think it's annoying to have that protection in various places in your
code instead of having it directly in `HttpResponseRedirectBase`. I
suggest that such protection will be automatically enabled in
`HttpResponseRedirectBase`, and when you want to be able to redirect to an
external site, you'll have to do some extra action to make it clear that
you know the risks. (For backwards compatibility with existing apps, we
can make this behavior off by default, and to allow enabling it on a per-
app basis.)
What do you think?
--
Ticket URL: <https://code.djangoproject.com/ticket/19992>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
