#34380 closed Cleanup/optimization (fixed)
Make URLField assume "https".
| Reported by: | Coen van der Kamp | Owned by: | Coen van der Kamp |
|---|---|---|---|
| Component: | Forms | Version: | 4.1 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Ready for checkin | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
In django.forms.fields.URLField.to_python the assumption is made that the http (no S) is a good default scheme for URLs that do not specify a scheme when submitted.
Entering example.com in a URLField will give http://example.com as cleaned data.
Ref: https://github.com/django/django/blame/main/django/forms/fields.py#L772-L774
I think URLField should assume the safe option https.
I've notified the security team, and they didn't see this as a security issue.
Change History (12)
comment:1 by , 20 months ago
comment:2 by , 20 months ago
| Has patch: | set |
|---|
comment:3 by , 20 months ago
| Needs documentation: | set |
|---|---|
| Owner: | changed from to |
| Patch needs improvement: | set |
| Status: | new → assigned |
| Summary: | URLField assumes http → Make URLField assume "https". |
| Triage Stage: | Unreviewed → Accepted |
Thanks for this report. As far as I'm aware, we should switch the default to "https" via the deprecation process (see #32375 for a similar change).
comment:4 by , 20 months ago
I've updated the PR (improved the patch). https://github.com/django/django/pull/16614/files
Not sure if I need to update something on this ticket.
comment:5 by , 19 months ago
| Needs documentation: | unset |
|---|---|
| Patch needs improvement: | unset |
| Triage Stage: | Accepted → Ready for checkin |
follow-up: 12 comment:11 by , 10 months ago
There is no (easy) way to pass/use assume_scheme via django.db.models.fields.URLField (directly), avoiding the deprecation messages (since using the transitional setting FORMS_URLFIELD_ASSUME_HTTPS also triggers a deprecation message already).
Should django.db.models.fields.URLField accept/handle assume_scheme?
Or is the way to go to use FORMS_URLFIELD_ASSUME_HTTPS for now, ignoring its DeprecationMessage, and to remove the setting with Django 6.0 again?
Might be nice to document this then in the release notes / documentation.
comment:12 by , 10 months ago
Or is the way to go to use
FORMS_URLFIELD_ASSUME_HTTPSfor now, ignoring itsDeprecationMessage, and to remove the setting with Django 6.0 again?
That was our idea (check out the entire discussion). If you agree for an early adoption of the new (Django 6.0+) default, set FORMS_URLFIELD_ASSUME_HTTPS = True and ignore it's deprecation warning during Django 5.X release cycle with e.g. warnings.filterwarnings("ignore", "FORMS_URLFIELD_ASSUME_HTTPS", category=RemovedInDjango60Warning). In Django 6.0 you will be able to remove both the FORMS_URLFIELD_ASSUME_HTTPS setting and a warnings filter.
I've opened a pull request. And am happy to adjust if needed.
https://github.com/django/django/pull/16614