>>> from urllib.parse import urlsplit
>>> urlsplit('//example.com')
SplitResult(scheme='', netloc='example.com', path='', query='', fragment='')
>>> urlsplit('///example.com')
SplitResult(scheme='', netloc='', path='/example.com', query='', fragment='')
>>> urlsplit('////example.com')
SplitResult(scheme='', netloc='', path='//example.com', query='', fragment='')

This greatly differs from how browsers interpret it: Location: ////example.com will redirect you to example.com, which makes checking for a non-empty netloc to avoid open redirects useless.

I tested using Firefox (which starts treating it as a netloc starting with 4 slashes). httpie on the other hand does not have this problem, and curl simply rejects such invalid redirects. So it is most likely a a case of browsers simply tolerating garbage instead of refusing it.

I think a warning in the docs that it is not suitable for checking against open redirects may be a nice thing to add...

Linked PRs

• gh-142412: Add warning about urlsplit's netloc parsing and open redirects #144448
• gh-142412: Document urlsplit netloc limitations for redirect validation #151621