An hostname-based allowlist is too permissive #6
Description
It allows to redirect to the same hostname at a different port (where a malicious entity may be waiting for the access_token)
It allows for a redirection from a HTTPS origin to a HTTP origin with the same hostname (could be a typo for instance) and a "Man-in-the-middle" would capture the access_token
We should probably move to an origin-based allowlist