[wp-trac] [WordPress Trac] #57809: Application password success_url should allow http when directed to localhost
WordPress Trac
noreply at wordpress.org
Sat Feb 25 21:32:38 UTC 2023
#57809: Application password success_url should allow http when directed to
localhost
-------------------------+-----------------------------
Reporter: aquarius | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: normal | Keywords:
Focuses: |
-------------------------+-----------------------------
When using wp-admin/authorize-application.php to walk a user through the
application password flow, WordPress will refuse to use a success_url with
an http scheme, requiring that it's https (or a custom scheme). This is
good security, and browsers implement the same SSL requirement for many
browser APIs for the same reason. However, browsers also have an exception
for http://localhost URLs, because it makes local testing much easier.
WordPress should do the same here; a local test of a web app which
interacts with the WordPress API should be able to walk a user through the
application passwords flow, and at the moment it can't. Similarly, a non-
web app running on a desktop computer can stand up a temporary HTTP
webserver on a high-numbered port to serve the success_url much more
easily than it can register a custom URL scheme.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/57809>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list