Relative rediects per RFC7231 as the new default #749
Comments
What effect would this have on cross-domain redirects? |
It had entered for the 0.12+ or just 0.13? |
@shakna-israel , like this (?) --
or something another? |
@polymorphm, That sounds good. Sorry for weighing in, just developing a CORS app at the moment, and it tends to be the kind of thing that breaks when trying to match URI compliance. |
@shakna-israel , please , try check this changing in your CORS-apps
I think this check-result -- is will be important for all |
@polymorphm, it seems to work absolutely fine. |
The solution proposed by @polymorphm meets our case. |
I think this should be linked to the following related issues: #748 and (the much older) #293 In my case, I have an application deployed on Apache with mod_wsgi at a subdirectory (e.g. example.com/myapp/). From my virtualhost config:
And in myapp.py: @route('/<dirname>')
def bare_dir(dirname):
redirect('/%s/' % dirname) Even though the @route('/<dirname>')
def bare_dir(dirname):
redirect('%s/' % dirname) # no leading slash I'm not an expert on web standards, so maybe this is the intended usage? But I expected a |
The server/app root problem is a very common and annoying thing. Unfortunately, there is no reliable way to know about the 'application root' other than configuration. A proxy could redirect arbitrary urls to the application, rewriting the URL in any way desirable. There is Currently bottle resolves relative URLs against something it thinks is the server root. It uses Magically prefixing redirect paths with I tent do (finally) just pull this simple change, and if we find out later that the missing urljoin breaks reasonable existing applications, we could still make it configurable. |
In #747 @polymorphm pojnted out that according to RFC7231 (which obsoletes RFC2616) relative URLs in the Location header are allowed.
Current behavior: Bottle tries to turn relative URLs in
bottle.redirect()
calls into absolute URLs by joining with therequest.url
string. See https://github.com/bottlepy/bottle/blob/master/bottle.py#L2445New behavior: Bottle just passes the provided URI as is. No URL-joining will be performed.
This behavior change should have no effect on well behaved clients. Relative URLs in
Location
headers are supported by all client libraries I know of because it is a common (previously non-standard but now allowed) practice for years now.It is still a behavior change with no obvious upgrade path. This is why I opened this issue. If you can think of a situation where this change breaks an existing application, or introduce a security risk, please speak up.
The text was updated successfully, but these errors were encountered: