#24321 closed Bug (fixed)
`utils.http.same_origin` doesn't comply with RFC6454
Reported by: | Lukas Klein | Owned by: | nobody |
---|---|---|---|
Component: | Utilities | Version: | dev |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Ready for checkin | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description (last modified by )
According to RFC6454 (http://tools.ietf.org/html/rfc6454#section-3.2.1) this should both be true:
>>> from django.utils.http import same_origin >>> same_origin('http://google.com', 'http://google.com') True >>> same_origin('http://google.com', 'http://google.com:80') False
Quote:
All of the following resources have the same origin:
http://example.com/
http://example.com:80/
http://example.com/path/file
Each of the URIs has the same scheme, host, and port components.
Django's same_origin
uses the standard urllib, which will return an empty port if none is explicitly specified.
My suggestion (see GitHub pull request: https://github.com/django/django/pull/4108) is to extend same_origin
to use a protocol-to-port-mapping if no port is explicitly declared.
Change History (5)
comment:1 by , 10 years ago
Description: | modified (diff) |
---|
comment:2 by , 10 years ago
Triage Stage: | Unreviewed → Accepted |
---|
comment:3 by , 10 years ago
Triage Stage: | Accepted → Ready for checkin |
---|
comment:4 by , 10 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
In 93b3ef9b2e191101c1a49b332d042864df74a658: