Skip to content

Application Passwords: Add a safer authorize flow for browser-based apps.#12191

Draft
KarunyaChavan wants to merge 1 commit into
WordPress:trunkfrom
KarunyaChavan:fix/65110-app-password-post-callback
Draft

Application Passwords: Add a safer authorize flow for browser-based apps.#12191
KarunyaChavan wants to merge 1 commit into
WordPress:trunkfrom
KarunyaChavan:fix/65110-app-password-post-callback

Conversation

@KarunyaChavan

@KarunyaChavan KarunyaChavan commented Jun 16, 2026

Copy link
Copy Markdown

This PR fixes a security limitation in the Application Passwords authorization flow where generated credentials (site_url, user_login, password) are leaked into the browser's URL query string during the final callback redirection. By introducing a new success_format=form_post parameter, third-party applications can now securely receive credentials via an auto-submitted HTML form payload rather than URL parameters, preventing exposure in browser histories, proxy servers, and analytics tools.

Trac ticket: https://core.trac.wordpress.org/ticket/65110

What Changed?

  • Added success_format validation: Updated wp_is_authorize_application_password_request_valid() to accept a new success_format parameter (defaulting to query).
  • Added validation to ensure form_post is only used with http or https callback URLs.
  • Server-rendered fallback (authorize-application.php): When success_format=form_post is requested, the authorization screen now renders an HTML document containing a hidden form that automatically submits the authorization payload to the provided success_url via POST.
  • JavaScript flow (auth-app.js): Updated the client-side authorization flow to construct and submit a form dynamically, enabling POST-based redirects while preserving the existing user experience.

Authorization Flow

Legacy Flow (unchanged)

If success_format is omitted or set to query, the existing behavior remains unchanged. The authorization flow completes with a standard GET redirect:

https://app.example/callback?site_url=...&user_login=...&password=...

This ensures full backward compatibility for existing integrations.

Secure Flow (success_format=form_post)

When success_format=form_post is specified, the authorization flow completes by issuing a top-level POST request to the provided success_url.
The following values are transmitted in the POST body:

  • site_url
  • user_login
  • password

As a result, sensitive credentials no longer appear in the browser URL, browser history, intermediary logs, or analytics tooling. Applications can securely retrieve the values from the incoming POST payload.

Use of AI Tools

AI assistance: Yes
Tool(s): Google Antigravity
Model(s): Gemini 3.1 Pro
Used for: Used for adding tests for ensuring the applied patch.

@KarunyaChavan
feat(Application Passwords): add POST-based success callback handling.
63029e4 
- Add success_format=form_post to return Application Password credentials via an auto-submitted POST instead of URL query parameters.
- Validate success_format requests and restrict callback URLs to HTTP/HTTPS protocols.
@github-actions

github-actions Bot commented Jun 16, 2026

Copy link
Copy Markdown

Hi there! 👋

Thank you for your contribution to WordPress! 💖

It looks like this is your first pull request to wordpress-develop. Here are a few things to be aware of that may help you out!

No one monitors this repository for new pull requests. Pull requests must be attached to a Trac ticket to be considered for inclusion in WordPress Core. To attach a pull request to a Trac ticket, please include the ticket's full URL in your pull request description.

Pull requests are never merged on GitHub. The WordPress codebase continues to be managed through the SVN repository that this GitHub repository mirrors. Please feel free to open pull requests to work on any contribution you are making.

More information about how GitHub pull requests can be used to contribute to WordPress can be found in the Core Handbook.

Please include automated tests. Including tests in your pull request is one way to help your patch be considered faster. To learn about WordPress' test suites, visit the Automated Testing page in the handbook.

If you have not had a chance, please review the Contribute with Code page in the WordPress Core Handbook.

The Developer Hub also documents the various coding standards that are followed:

Thank you,
The WordPress Project

@github-actions

github-actions Bot commented Jun 16, 2026

Copy link
Copy Markdown

Test using WordPress Playground

The changes in this pull request can previewed and tested using a WordPress Playground instance.

WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser.

Some things to be aware of

  • All changes will be lost when closing a tab with a Playground instance.
  • All changes will be lost when refreshing the page.
  • A fresh instance is created each time the link below is clicked.
  • Every time this pull request is updated, a new ZIP file containing all changes is created. If changes are not reflected in the Playground instance,
    it's possible that the most recent build failed, or has not completed. Check the list of workflow runs to be sure.

For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation.

Test this pull request with WordPress Playground.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@KarunyaChavan