#28473: Consider SCRIPT_NAME for SECURE_REDIRECT_EXEMPT setting
-------------------------------+------------------------------------
Reporter: Jonas Haag | Owner: nobody
Type: Bug | Status: new
Component: HTTP handling | Version: 1.11
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+------------------------------------
Comment (by Sniom):
I've got the same use case :
I set `SCRIPT_NAME` to "/some_script_name".
At first I wanted http://url.com/some_script_name/exempt1 and
http://url.com/some_script_name/exempt2 to be served via http.
So I set `SECURE_REDIRECT_EXEMPT=[r"^exempt1$", "^exempt2$""]`
It took me some time to figure out that `SECURE_REDIRECT_EXEMPT` was not
taking into account `SCRIPT_NAME`
I had to modify `SECURE_REDIRECT_EXEMPT` to
`[r"^some_script_name/exempt1$", r"^some_script_name/exempt2$"]`
Seems to me using `request.path_info` rather than `request.path` would do
the trick.
But changing that would break existing sites using `SCRIPT_NAME` +
`SECURE_REDIRECT_EXEMPT`
Should we at least document this strange behaviour in
https://docs.djangoproject.com/en/6.0/ref/settings/#secure-redirect-exempt
?
(I am using django version 6.0.5)
--
Ticket URL: <https://code.djangoproject.com/ticket/28473#comment:4>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/0107019e4578f67e-f7d3fca1-d33e-4bf5-86dc-895c183ac9b5-000000%40eu-central-1.amazonses.com.
