id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
26902	Add `secure` argument to `is_safe_url()`	Przemysław Suliga	nobody	"`django.utils.http.is_safe_url()` considers any HTTP and HTTPS url safe as long as its hostname matches the `host` argument. Currently this is true: `is_safe_url('http://example.com', host='example.com')`.

Let's add a `secure` argument to `is_safe_url()` so that when it's `True`, only HTTPS is considered as a safe scheme.

The existence of that argument alone would make users aware of potential issues that can arise from ignoring it. For example if a developer uses `is_safe_url()` to validate user supplied urls for redirection to a target with appended secrets as url query params.

`django.contrib.admin` uses `django.contrib.auth` login view where `is_safe_url()` is used to validate the `next` query param. This scenario is currently possible:
- user goes to https://example.net/admin/login/?next=http://example.net/admin/foo
- they enter their credentials and POST to the above url
- They're successfully authenticated, they receive a response with a new session cookie and are redirected to http://example.net/admin/foo

Of course our HTTPS site should only set `Secure` session cookies and use HSTS, so there should be no possibility of the the cookie being sent by the user via HTTP. But if the site doesn't set secure cookies and doesn't use HSTS, this is a problem. If the site doesn't use secure cookies in the first place, then the `secure` param to `is_safe_url()` won't help much.. but I would argue it still makes the validation more ""complete""."	New feature	closed	Utilities	dev	Normal	fixed		berker.peksag@…	Ready for checkin	1	0	0	0	0	0