-
Notifications
You must be signed in to change notification settings - Fork 47
success_url should be forced to be https #116
Comments
That’s a great point @jdevalk! Do you suggest we always override the return URL to be HTTPS and have a filter in place to disable the override? |
No I just wouldn't redirect to it if it isn't https. |
I'd initially thought that perhaps instead of accepting a http url, we could just display the credentials to the user, so that they can enter it into the app manually -- however that seems kinda silly as most apps using this flow wouldn't have a place for the user to enter the creds if they were expecting to get them back via a redirect. Also, if we force it to reject It should be a simple conditional added somewhere around here: application-passwords/class.application-passwords.php Lines 441 to 455 in 6a1e9ef
-- just worth noting that if we did, we would need to do it in a way that only rejects urls matching with https://developer.android.com/training/app-links |
How about introducing a |
@georgestephanis Are you suggesting we add a warning/notice to that particular admin section if the redirect URL starts with |
A basic |
We should only redirect back to
$success_url
if it is HTTPS. Otherwise you're exposing the application password over plain HTTP. We might want to add an override for that for testing purposes but then we should output a clear warning on the screen that the success URL is not secure.The text was updated successfully, but these errors were encountered: