Opened 3 years ago

Last modified 3 years ago

#24336 assigned Cleanup/optimization

static server should skip for protocol-relative STATIC_URL

Reported by: Vlada Macek Owned by: farrepa
Component: Core (Other) Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

As per http://stackoverflow.com/questions/550038/is-it-valid-to-replace-http-with-in-a-script-src-http and the spread of http/https websites it appears to be legitimate to have STATIC_URL and MEDIA_URL starting with // leading to a different domain under my control, but keeping the protocol. Hence this check

    # No-op if not in debug mode or an non-local prefix
    if not settings.DEBUG or (prefix and '://' in prefix):
        return []

in django.conf.urls.static.static will not match and does not turn off the static server as it should.

I guess :// should at least be changed to //.

Change History (5)

comment:1 Changed 3 years ago by Paul Hallett

Needs tests: set

comment:2 Changed 3 years ago by Paul Hallett

I experimented on a local branch of Django and changed the :// to // and didn't see any immediate problems. However this'll definitely need tests to verify.

comment:3 Changed 3 years ago by Aymeric Augustin

It would be safer to skip URLs starting with:

  • http://
  • https://
  • //

The most robust solution may be to parse the URL and skip it if the host part isn't empty.

comment:4 Changed 3 years ago by Tim Graham

Easy pickings: unset
Needs tests: unset
Triage Stage: UnreviewedAccepted
Type: BugCleanup/optimization

comment:5 Changed 3 years ago by farrepa

Owner: changed from nobody to farrepa
Status: newassigned
Note: See TracTickets for help on using tickets.
Back to Top