Put protection against unsafe redirects into `HttpResponseRedirectBase`
|Reported by:||coolRR||Owned by:||nobody|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
Here's something I have in my app that I think other users in Django might find beneficial.
In many circumstances you want to redirect a user inside your site to a dynamic URL. You usually have protection in that case against redirecting out of your site, like in here:
I think it's annoying to have that protection in various places in your code instead of having it directly in HttpResponseRedirectBase. I suggest that such protection will be automatically enabled in HttpResponseRedirectBase, and when you want to be able to redirect to an external site, you'll have to do some extra action to make it clear that you know the risks. (For backwards compatibility with existing apps, we can make this behavior off by default, and to allow enabling it on a per-app basis.)
What do you think?
Change History (4)
comment:1 Changed 3 years ago by jacob
- Keywords security added
- Needs documentation unset
- Needs tests unset
- Patch needs improvement unset
- Triage Stage changed from Unreviewed to Accepted