>>> from urllib.parse import urlsplit
>>> urlsplit('//example.com')
SplitResult(scheme='', netloc='example.com', path='', query='', fragment='')
>>> urlsplit('///example.com')
SplitResult(scheme='', netloc='', path='/example.com', query='', fragment='')
>>> urlsplit('////example.com')
SplitResult(scheme='', netloc='', path='//example.com', query='', fragment='')This greatly differs from how browsers interpret it: Location: ////example.com will redirect you to example.com, which makes checking for a non-empty netloc to avoid open redirects useless.
I tested using Firefox (which starts treating it as a netloc starting with 4 slashes). httpie on the other hand does not have this problem, and curl simply rejects such invalid redirects. So it is most likely a a case of browsers simply tolerating garbage instead of refusing it.
I think a warning in the docs that it is not suitable for checking against open redirects may be a nice thing to add...
Linked PRs
This greatly differs from how browsers interpret it:
Location: ////example.comwill redirect you toexample.com, which makes checking for a non-emptynetlocto avoid open redirects useless.I tested using Firefox (which starts treating it as a netloc starting with 4 slashes).
httpieon the other hand does not have this problem, andcurlsimply rejects such invalid redirects. So it is most likely a a case of browsers simply tolerating garbage instead of refusing it.I think a warning in the docs that it is not suitable for checking against open redirects may be a nice thing to add...
Linked PRs