[wp-trac] [WordPress Trac] #57809: Application password success_url should allow http when host is localhost or localhost:port
WordPress Trac
noreply at wordpress.org
Tue Mar 24 02:19:02 UTC 2026
#57809: Application password success_url should allow http when host is localhost
or localhost:port
--------------------------------------+---------------------
Reporter: aquarius | Owner: pento
Type: defect (bug) | Status: closed
Priority: normal | Milestone: 7.0
Component: Application Passwords | Version:
Severity: normal | Resolution: fixed
Keywords: has-patch has-unit-tests | Focuses:
--------------------------------------+---------------------
Changes (by pento):
* status: accepted => closed
* resolution: => fixed
Comment:
In [changeset:"62096" 62096]:
{{{
#!CommitTicketReference repository="" revision="62096"
Application Passwords: Allow HTTP loopback redirect URLs
This change allows HTTP redirect URLs for loopback addresses (`127.0.0.1`,
`[::1]`) in `wp_is_authorize_application_redirect_url_valid()`, regardless
of environment type. This aligns the application password implementation
with RFC 8252 7.3.
It's worth noting that section 8.3 of the RFC recommends against allowing
`localhost` as a loopback redirect, since it may be susceptible to
firewall interception and DNS resolution poisoning.
Props aquarius, pento.
Fixes #57809.
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/57809#comment:13>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list