Opened 10 years ago
Last modified 10 years ago
#24321 closed Bug
`utils.http.same_origin` doesn't comply with RFC6454 — at Initial Version
Reported by: | Lukas Klein | Owned by: | nobody |
---|---|---|---|
Component: | Utilities | Version: | dev |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Ready for checkin | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
According to RFC6454 (http://tools.ietf.org/html/rfc6454#section-3.2.1) this should both be true:
>>> from django.utils.http import same_origin >>> same_origin('http://google.com', 'http://google.com') True >>> same_origin('http://google.com', 'http://google.com:80') False
Quote:
All of the following resources have the same origin:
http://example.com/
http://example.com:80/
http://example.com/path/file
Each of the URIs has the same scheme, host, and port components.
Django's same_origin
uses the standard urllib, which will return an empty port if none is explicitly specified.
My suggestion (see GitHub pull request) is to extend same_origin
to use a protocol-to-port-mapping if no port is explicitly declared.