#24321 closed Bug (fixed)
`utils.http.same_origin` doesn't comply with RFC6454
| Reported by: | Lukas Klein | Owned by: | nobody |
|---|---|---|---|
| Component: | Utilities | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Ready for checkin | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by )
According to RFC6454 (http://tools.ietf.org/html/rfc6454#section-3.2.1) this should both be true:
>>> from django.utils.http import same_origin >>> same_origin('http://google.com', 'http://google.com') True >>> same_origin('http://google.com', 'http://google.com:80') False
Quote:
All of the following resources have the same origin:
http://example.com/
http://example.com:80/
http://example.com/path/file
Each of the URIs has the same scheme, host, and port components.
Django's same_origin uses the standard urllib, which will return an empty port if none is explicitly specified.
My suggestion (see GitHub pull request: https://github.com/django/django/pull/4108) is to extend same_origin to use a protocol-to-port-mapping if no port is explicitly declared.
Change History (5)
comment:1 by , 11 years ago
| Description: | modified (diff) |
|---|
comment:2 by , 11 years ago
| Triage Stage: | Unreviewed → Accepted |
|---|
comment:3 by , 11 years ago
| Triage Stage: | Accepted → Ready for checkin |
|---|
comment:4 by , 11 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
In 93b3ef9b2e191101c1a49b332d042864df74a658: