#19992: Put protection against unsafe redirects into `HttpResponseRedirectBase`
-------------------------------+------------------------------------
Reporter: coolRR | Owner: nobody
Type: New feature | Status: new
Component: HTTP handling | Version: master
Severity: Normal | Resolution:
Keywords: security | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+------------------------------------
Comment (by coolRR):
I agree with the idea of a `safe` flag to functions that do a redirect.
(Which I guess is `redirect` and the constructor for the redirect
response, possibly several more?)
I would think though whether it's correct to call it `safe`, because it
might just mean "local", and calling it safe might give an illusion of
safety. But I don't feel strongly about the name.
Now, the thing is, since we'll have `safe=True` by default, existing apps
will break. So I think that this functionality needs to be turned on and
off on an app-by-app basis. I suggest it being off by default, but that
you could turn it on for each app individually, so you could turn it on
for your apps without breaking the third-party apps that you're using.
What do you think?
--
Ticket URL: <https://code.djangoproject.com/ticket/19992#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
