Opened 11 years ago
Last modified 11 years ago
#24321 closed Bug
`utils.http.same_origin` doesn't comply with RFC6454 — at Initial Version
| Reported by: | Lukas Klein | Owned by: | nobody |
|---|---|---|---|
| Component: | Utilities | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Ready for checkin | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
According to RFC6454 (http://tools.ietf.org/html/rfc6454#section-3.2.1) this should both be true:
>>> from django.utils.http import same_origin >>> same_origin('http://google.com', 'http://google.com') True >>> same_origin('http://google.com', 'http://google.com:80') False
Quote:
All of the following resources have the same origin:
http://example.com/
http://example.com:80/
http://example.com/path/file
Each of the URIs has the same scheme, host, and port components.
Django's same_origin uses the standard urllib, which will return an empty port if none is explicitly specified.
My suggestion (see GitHub pull request) is to extend same_origin to use a protocol-to-port-mapping if no port is explicitly declared.
Note:
See TracTickets
for help on using tickets.