#19992: Put protection against unsafe redirects into `HttpResponseRedirectBase`
-------------------------------+------------------------------------
Reporter: coolRR | Owner: nobody
Type: New feature | Status: new
Component: HTTP handling | Version: master
Severity: Normal | Resolution:
Keywords: security | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+------------------------------------
Comment (by coolRR):
I agree with the idea of a `safe` flag to functions that do a redirect.
(Which I guess is `redirect` and the constructor for the redirect
response, possibly several more?)
I would think though whether it's correct to call it `safe`, because it
might just mean "local", and calling it safe might give an illusion of
safety. But I don't feel strongly about the name.
Now, the thing is, since we'll have `safe=True` by default, existing apps
will break. So I think that this functionality needs to be turned on and
off on an app-by-app basis. I suggest it being off by default, but that
you could turn it on for each app individually, so you could turn it on
for your apps without breaking the third-party apps that you're using.
What do you think?
--
Ticket URL: <https://code.djangoproject.com/ticket/19992#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
