>>>fromurllib.parseimporturlsplit>>>urlsplit('//example.com')SplitResult(scheme='',netloc='example.com',path='',query='',fragment='')>>>urlsplit('///example.com')SplitResult(scheme='',netloc='',path='/example.com',query='',fragment='')>>>urlsplit('////example.com')SplitResult(scheme='',netloc='',path='//example.com',query='',fragment='')

This greatly differs from how browsers interpret it:Location: ////example.com will redirect you toexample.com, which makes checking for a non-emptynetloc to avoid open redirects useless.

I tested using Firefox (which starts treating it as a netloc starting with 4 slashes).httpie on the other hand does not have this problem, andcurl simply rejects such invalid redirects. So it is most likely a a case of browsers simply tolerating garbage instead of refusing it.

I think a warning in the docs that it is not suitable for checking against open redirects may be a nice thing to add...

Linked PRs

• gh-142412: Add warning about urlsplit's netloc parsing and open redirects #144448