Location returned by redirect_slashes should be relative instead of absolute

[rijenkii]

Discussed in #2651

^{Originally posted by rijenkii July 23, 2024}
I have a following setup:

Browser --(https)--> Nginx --(http)--> FastAPI/Starlette

When a browser accidentally calls an endpoint without an ending slash, Starlette responds with a 307 with Location: http://example.org/api/endpoint/, which browser rightfully rejects because of mixed content blocking.

If Starlette responded with Location: /api/endpoint/ instead, browser would then just slap that relative location to the current host.

Django does it like that, but they respond with 301s:

> GET /api/endpoint HTTP/1.1

< HTTP/1.1 301 Moved Permanently
< location: /api/endpoint/

---

Related code:

starlette/starlette/routing.py

Lines 750 to 763 in c2e3a39

	if scope["type"] == "http" and self.redirect_slashes and route_path != "/":
	redirect_scope = dict(scope)
	if route_path.endswith("/"):
	redirect_scope["path"] = redirect_scope["path"].rstrip("/")
	else:
	redirect_scope["path"] = redirect_scope["path"] + "/"
	for route in self.routes:
	match, child_scope = route.matches(redirect_scope)
	if match != Match.NONE:
	redirect_url = URL(scope=redirect_scope)
	response = RedirectResponse(url=str(redirect_url))
	await response(scope, receive, send)
	return