search

encode / starlette

The little ASGI framework that shines. 🌟
https://www.starlette.io/
BSD 3-Clause "New" or "Revised" License
10.31k stars 948 forks source link

`Location` returned by `redirect_slashes` should be relative instead of absolute #2748

Open rijenkii opened 2 weeks ago

rijenkii commented 2 weeks ago

Discussed in https://github.com/encode/starlette/discussions/2651

Originally posted by **rijenkii** July 23, 2024 I have a following setup: ``` Browser --(https)--> Nginx --(http)--> FastAPI/Starlette ``` When a browser accidentally calls an endpoint without an ending slash, Starlette responds with a 307 with `Location: http://example.org/api/endpoint/`, which browser rightfully rejects because of mixed content blocking. If Starlette responded with `Location: /api/endpoint/` instead, browser would then just slap that relative location to the current host. Django does it like that, but they respond with 301s: ``` > GET /api/endpoint HTTP/1.1 < HTTP/1.1 301 Moved Permanently < location: /api/endpoint/ ```

Related code: https://github.com/encode/starlette/blob/c2e3a39b09a613553ee03586589ed9cd0fbf07f3/starlette/routing.py#L750-L763