Make WordPress Core


Ignore:
Timestamp:
02/07/2023 05:43:55 PM (15 months ago)
Author:
johnbillion
Message:

Application Passwords: Allow plain HTTP success and reject URLs when using a local environment type.

It's not uncommon for local environments to run over HTTP due to the relative complexity of configuring HTTPS for a local environment. This change allows HTTP URLs for application password responses when that is the case.

Props peterwilsoncc, wppunk, cadic, viralsampat

Fixes #52617

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/user.php

    r55099 r55283  
    613613 *
    614614 * @since 5.6.0
     615 * @since 6.2.0 Allow insecure HTTP connections for the local environment.
    615616 *
    616617 * @param array   $request {
     
    626627 */
    627628function wp_is_authorize_application_password_request_valid( $request, $user ) {
    628     $error = new WP_Error();
     629    $error    = new WP_Error();
     630    $is_local = 'local' === wp_get_environment_type();
    629631
    630632    if ( ! empty( $request['success_url'] ) ) {
    631633        $scheme = wp_parse_url( $request['success_url'], PHP_URL_SCHEME );
    632634
    633         if ( 'http' === $scheme ) {
     635        if ( 'http' === $scheme && ! $is_local ) {
    634636            $error->add(
    635637                'invalid_redirect_scheme',
     
    642644        $scheme = wp_parse_url( $request['reject_url'], PHP_URL_SCHEME );
    643645
    644         if ( 'http' === $scheme ) {
     646        if ( 'http' === $scheme && ! $is_local ) {
    645647            $error->add(
    646648                'invalid_redirect_scheme',
Note: See TracChangeset for help on using the changeset viewer.