[Django] #29752: Add new ALLOWED_HOSTS_EXEMPT setting

[Django]

#29752: Add new ALLOWED_HOSTS_EXEMPT setting
-----------------------------------------+------------------------
Reporter: Jonas Haag | Owner: nobody
Type: New feature | Status: new
Component: HTTP handling | Version: master
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 1
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 1
UI/UX: 0 |
-----------------------------------------+------------------------
This patch adds a new ALLOWED_HOSTS_EXEMPT setting to exclude some URLs
from Host header validation.

This can become handy if you can't control the Host header sent to your
application but still want to accept the request. An example of this is
health checks made by AWS ECS/Fargate – google "django allowed_hosts aws"
and find 16,000 results with tips how to work around the problem.

--
Ticket URL: <https://code.djangoproject.com/ticket/29752>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

[Django]

#29752: Add new ALLOWED_HOSTS_EXEMPT setting

-------------------------------+--------------------------------------

Reporter: Jonas Haag | Owner: nobody
Type: New feature | Status: new
Component: HTTP handling | Version: master

Severity: Normal | Resolution:

Keywords: | Triage Stage: Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0

-------------------------------+--------------------------------------

Comment (by Jonas Haag):

https://github.com/django/django/pull/10383

--
Ticket URL: <https://code.djangoproject.com/ticket/29752#comment:1>

[Django]

#29752: Add new ALLOWED_HOSTS_EXEMPT setting

-------------------------------+--------------------------------------

Reporter: Jonas Haag | Owner: nobody
Type: New feature | Status: new
Component: HTTP handling | Version: master

Severity: Normal | Resolution:

Keywords: | Triage Stage: Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0

-------------------------------+--------------------------------------

Comment (by Simon Charette):

Without weighting in on the acceptability of the feature request the
setting name should probably contain `_URL` to adhere the existing setting
names.

--
Ticket URL: <https://code.djangoproject.com/ticket/29752#comment:2>

[Django]

#29752: Add new ALLOWED_HOSTS_EXEMPT setting

-------------------------------+--------------------------------------

Reporter: Jonas Haag | Owner: nobody
Type: New feature | Status: new
Component: HTTP handling | Version: master

Severity: Normal | Resolution:

Keywords: | Triage Stage: Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0

-------------------------------+--------------------------------------

Comment (by Jonas Haag):

I took SECURE_REDIRECT_EXEMPT as a guideline, both in terms of naming and
in terms of implementation

--
Ticket URL: <https://code.djangoproject.com/ticket/29752#comment:3>

[Django]

#29752: Add new ALLOWED_HOSTS_EXEMPT setting

-------------------------------+--------------------------------------

Reporter: Jonas Haag | Owner: nobody
Type: New feature | Status: new
Component: HTTP handling | Version: master

Severity: Normal | Resolution:

Keywords: | Triage Stage: Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0

-------------------------------+--------------------------------------

Comment (by Simon Charette):

The thing with `SECURE_REDIRECT_EXEMPT` is that it contains
`REDIRECT_EXEMPT` which kind of self-document that it must contain
''paths''. In the case of `ALLOWED_HOSTS_EXEMPT` it's not clear that it's
a ''paths'' exemption list; it sounds like an ''hosts'' exemption list.

--
Ticket URL: <https://code.djangoproject.com/ticket/29752#comment:4>

[Django]

#29752: Add new ALLOWED_HOSTS_EXEMPT setting

-------------------------------+-----------------------------------------

Reporter: Jonas Haag | Owner: nobody
Type: New feature | Status: new
Component: HTTP handling | Version: master

Severity: Normal | Resolution:
Keywords: | Triage Stage: Someday/Maybe

Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 0 | UI/UX: 0
-------------------------------+-----------------------------------------
Changes (by Tim Graham):

* easy: 1 => 0
* stage: Unreviewed => Someday/Maybe

Comment:

Proposals to add new settings must be made on the DevelopersMailingList.

--
Ticket URL: <https://code.djangoproject.com/ticket/29752#comment:5>

[Django]

#29752: Add new ALLOWED_HOSTS_EXEMPT setting

-------------------------------+-----------------------------------------

Reporter: Jonas Haag | Owner: nobody

Type: New feature | Status: closed

Component: HTTP handling | Version: master

Severity: Normal | Resolution: wontfix
Keywords: | Triage Stage: Someday/Maybe

Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 0 | UI/UX: 0
-------------------------------+-----------------------------------------
Changes (by Tim Graham):

* status: new => closed
* resolution: => wontfix

Comment:

The [https://groups.google.com/d/topic/django-
developers/__jdYSDMaIQ/discussion django-developers discussion] didn't
yield a consensus to add this.

--
Ticket URL: <https://code.djangoproject.com/ticket/29752#comment:6>