Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Relative location headers are "fixed" as if they are relative to root instead of the current url #693

boblehest opened this issue Feb 16, 2015 · 7 comments


Copy link

@boblehest boblehest commented Feb 16, 2015

When the location header points to a relative address, werkzeug grabs the root of the url, which for turns into, and then adds the relative location on top, which doesn't turn out well.

Why not use the full url when correcting it? In my case if I get redirected from to ../abc, I'd want to end up at instead of

Copy link

@untitaker untitaker commented Mar 22, 2015

The location header can't be relative, as per RFC 2616:

The Location response-header field is used to redirect the recipient to a location other than the Request-URI for completion of the request or identification of a new resource. For 201 (Created) responses, the Location is that of the new resource which was created by the request. For 3xx responses, the location SHOULD indicate the server's preferred URI for automatic redirection to the resource. The field value consists of a single absolute URI.

Copy link

@untitaker untitaker commented Mar 22, 2015

I'd accept patches that change the behavior (since it'd still be RFC-compliant, just more tolerant) as long as there are no performance penalties.

Copy link
Contributor Author

@boblehest boblehest commented Mar 26, 2015

Edit: PR #718

Edit: Aww, github deleted my entire comment when I clicked "edit", what a cool feature. Quick rehash: As you can see in the PR, it appears (to me) to be a really simple fix, unless there's something I'm missing.

Copy link

@untitaker untitaker commented Apr 4, 2015

Your original comment I recieved via mail:

Yeah, I know it can't be relative. I've set up a proxy server for an internal http server, and unfortunately it doesn't honor the spec.

The problem is that I think the corrected location should be relative to the "working directory", which it currently isn't.

The fix appears to be really simple, unless I'm missing something (for the record, this is nowhere near my area of expertise).

PR coming up.

Copy link

@mjpieters mjpieters commented Oct 13, 2016

RFC 7231 changed the Location requirements, see section 7.1.2:

The field value consists of a single URI-reference. When it has the
form of a relative reference ([RFC3986], Section 4.2), the final
value is computed by resolving it against the effective request URI
([RFC3986], Section 5).

As such, the location header does not have to be absolute anymore. Werkzeug may choose to remain conservative in this (and require you to set BaseResponse.autocorrect_location_header to False explicitly).

Copy link

@davidism davidism commented May 28, 2018

For reference, even after the PR, the header will still end up with an absolute path, it's just that relative paths will be relative to the current path instead of the root path. If you actually want a relative URL in the header, disable autocorrect_location_header.

Copy link

@meghabh meghabh commented Dec 3, 2019

How can I still use the root url, instead of current path . Is it by setting up autocorrect_location_header to flase ?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

5 participants