It allows to redirect to the same hostname at a different port (where a malicious entity may be waiting for the access_token)
It allows for a redirection from a HTTPS origin to a HTTP origin with the same hostname (could be a typo for instance) and a "Man-in-the-middle" would capture the access_token
We should probably move to an origin-based allowlist
It allows to redirect to the same hostname at a different port (where a malicious entity may be waiting for the
access_token)It allows for a redirection from a HTTPS origin to a HTTP origin with the same hostname (could be a typo for instance) and a "Man-in-the-middle" would capture the
access_tokenWe should probably move to an origin-based allowlist