#19992: Put protection against unsafe redirects into `HttpResponseRedirectBase` -------------------------------+------------------------------------ Reporter: coolRR | Owner: nobody Type: New feature | Status: new Component: HTTP handling | Version: master Severity: Normal | Resolution: Keywords: security | Triage Stage: Accepted Has patch: 0 | Needs documentation: 0 Needs tests: 0 | Patch needs improvement: 0 Easy pickings: 0 | UI/UX: 0 -------------------------------+------------------------------------
Comment (by coolRR): I agree with the idea of a `safe` flag to functions that do a redirect. (Which I guess is `redirect` and the constructor for the redirect response, possibly several more?) I would think though whether it's correct to call it `safe`, because it might just mean "local", and calling it safe might give an illusion of safety. But I don't feel strongly about the name. Now, the thing is, since we'll have `safe=True` by default, existing apps will break. So I think that this functionality needs to be turned on and off on an app-by-app basis. I suggest it being off by default, but that you could turn it on for each app individually, so you could turn it on for your apps without breaking the third-party apps that you're using. What do you think? -- Ticket URL: <https://code.djangoproject.com/ticket/19992#comment:2> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To post to this group, send email to django-updates@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.