id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
19992	Put protection against unsafe redirects into `HttpResponseRedirectBase`	Ram Rachum	nobody	"Here's something I have in my app that I think other users in Django might find beneficial.

In many circumstances you want to redirect a user inside your site to a dynamic URL. You usually have protection in that case against redirecting out of your site, like in here:

https://github.com/django/django/blob/d9330d5be2ee60b208dcab2616eb164ea2e6bf36/django/contrib/auth/decorators.py#L30-L36

I think it's annoying to have that protection in various places in your code instead of having it directly in `HttpResponseRedirectBase`. I suggest that such protection will be automatically enabled in `HttpResponseRedirectBase`, and when you want to be able to redirect to an external site, you'll have to do some extra action to make it clear that you know the risks. (For backwards compatibility with existing apps, we can make this behavior off by default, and to allow enabling it on a per-app basis.)

What do you think?"	New feature	closed	HTTP handling	dev	Normal	duplicate	security		Accepted	0	0	0	0	0	0