Completely remove the reject_url handling. If a user rejects a request, it should not send any data to the requesting site or app.

johnbillion · johnbillion · commit 9d04cdc96f1e · 2026-02-27T12:54:59.000Z
diff --git a/src/js/_enqueues/admin/auth-app.js b/src/js/_enqueues/admin/auth-app.js
@@ -11,8 +11,7 @@
 		$form = $appNameField.closest( 'form' ),
 		context = {
 			userLogin: authApp.user_login,
-			successUrl: authApp.success,
-			rejectUrl: authApp.reject
+			successUrl: authApp.success
 		};
 
 	// If redirecting to an external site, gate the approve button behind the confirmation checkbox.
@@ -61,12 +60,12 @@
 		 * Filters the request data used to Authorize an Application Password request.
 		 *
 		 * @since 5.6.0
+		 * @since x.y.z A reject URL is no longer supported or used.
 		 *
 		 * @param {Object} request            The request data.
 		 * @param {Object} context            Context about the Application Password request.
 		 * @param {string} context.userLogin  The user's login username.
 		 * @param {string} context.successUrl The URL the user will be redirected to after approving the request.
-		 * @param {string} context.rejectUrl  The URL the user will be redirected to after rejecting the request.
 		 */
 		request = wp.hooks.applyFilters( 'wp_application_passwords_approve_app_request', request, context );
 
@@ -187,16 +186,22 @@
 		 * Fires when an Authorize Application Password request has been rejected by the user.
 		 *
 		 * @since 5.6.0
+		 * @since x.y.z A reject URL is no longer supported or used.
 		 *
 		 * @param {Object} context            Context about the Application Password request.
 		 * @param {string} context.userLogin  The user's login username.
 		 * @param {string} context.successUrl The URL the user will be redirected to after approving the request.
-		 * @param {string} context.rejectUrl  The URL the user will be redirected to after rejecting the request.
 		 */
 		wp.hooks.doAction( 'wp_application_passwords_reject_app', context );
 
-		// @todo: Make a better way to do this so it feels like less of a semi-open redirect.
-		window.location = authApp.reject;
+		var $notice = $( '<div></div>' )
+			.attr( 'role', 'alert' )
+			.attr( 'tabindex', -1 )
+			.addClass( 'notice notice-info' )
+			.append( $( '<p></p>' ).text( wp.i18n.__( 'You have not approved this connection. No data has been shared with the application.' ) ) );
+
+		$form.replaceWith( $notice );
+		$notice.trigger( 'focus' );
 	} );
 
 	$form.on( 'submit', function( e ) {
diff --git a/src/wp-admin/authorize-application.php b/src/wp-admin/authorize-application.php
@@ -17,17 +17,12 @@
 	check_admin_referer( 'authorize_application_password' );
 
 	$success_url = $_POST['success_url'];
-	$reject_url  = $_POST['reject_url'];
 	$app_name    = $_POST['app_name'];
 	$app_id      = $_POST['app_id'];
 	$redirect    = '';
 
 	if ( isset( $_POST['reject'] ) ) {
-		if ( $reject_url ) {
-			$redirect = $reject_url;
-		} else {
-			$redirect = admin_url();
-		}
+		$redirect = admin_url();
 	} elseif ( isset( $_POST['approve'] ) ) {
 		$created = WP_Application_Passwords::create_new_application_password(
 			get_current_user_id(),
@@ -69,17 +64,9 @@
 $app_id      = ! empty( $_REQUEST['app_id'] ) ? $_REQUEST['app_id'] : '';
 $success_url = ! empty( $_REQUEST['success_url'] ) ? $_REQUEST['success_url'] : null;
 
-if ( ! empty( $_REQUEST['reject_url'] ) ) {
-	$reject_url = $_REQUEST['reject_url'];
-} elseif ( $success_url ) {
-	$reject_url = add_query_arg( 'success', 'false', $success_url );
-} else {
-	$reject_url = null;
-}
-
 $user = wp_get_current_user();
 
-$request  = compact( 'app_name', 'app_id', 'success_url', 'reject_url' );
+$request  = compact( 'app_name', 'app_id', 'success_url' );
 $is_valid = wp_is_authorize_application_password_request_valid( $request, $user );
 
 if ( is_wp_error( $is_valid ) ) {
@@ -96,7 +83,7 @@
 		array(
 			'response'  => 501,
 			'link_text' => __( 'Go Back' ),
-			'link_url'  => $reject_url ? add_query_arg( 'error', 'disabled', $reject_url ) : admin_url(),
+			'link_url'  => admin_url(),
 		)
 	);
 }
@@ -114,7 +101,7 @@
 		array(
 			'response'  => 501,
 			'link_text' => __( 'Go Back' ),
-			'link_url'  => $reject_url ? add_query_arg( 'error', 'disabled', $reject_url ) : admin_url(),
+			'link_url'  => admin_url(),
 		)
 	);
 }
@@ -131,10 +118,9 @@
 	'auth-app',
 	'authApp',
 	array(
-		'site_url'   => site_url(),
-		'user_login' => $user->user_login,
-		'success'    => $success_url,
-		'reject'     => $reject_url ? $reject_url : admin_url(),
+		'site_url'    => site_url(),
+		'user_login'  => $user->user_login,
+		'success'     => $success_url,
 		'successHost' => $success_host,
 	)
 );
@@ -203,7 +189,6 @@
 				<input type="hidden" name="action" value="authorize_application_password" />
 				<input type="hidden" name="app_id" value="<?php echo esc_attr( $app_id ); ?>" />
 				<input type="hidden" name="success_url" value="<?php echo esc_url( $success_url ); ?>" />
-				<input type="hidden" name="reject_url" value="<?php echo esc_url( $reject_url ); ?>" />
 
 				<?php if ( $app_name ) : ?>
 					<p>
@@ -305,7 +290,6 @@
 				 *
 				 *     @type string $app_name    The suggested name of the application.
 				 *     @type string $success_url The URL the user will be redirected to after approving the application.
-				 *     @type string $reject_url  The URL the user will be redirected to after rejecting the application.
 				 * }
 				 * @param WP_User $user The user authorizing the application.
 				 */
@@ -326,25 +310,9 @@
 					__( 'No, I do not approve of this connection' ),
 					'secondary',
 					'reject',
-					false,
-					array(
-						'aria-describedby' => 'description-reject',
-					)
+					false
 				);
 				?>
-				<p class="description" id="description-reject">
-					<?php
-					if ( $reject_url ) {
-						printf(
-							/* translators: %s: The URL the user is being redirected to. */
-							__( 'You will be sent to %s' ),
-							'<strong><code>' . esc_html( $reject_url ) . '</code></strong>'
-						);
-					} else {
-						_e( 'You will be returned to the WordPress Dashboard, and no changes will be made.' );
-					}
-					?>
-				</p>
 			</form>
 		<?php endif; ?>
 	</div>
diff --git a/src/wp-admin/includes/user.php b/src/wp-admin/includes/user.php
@@ -638,15 +638,15 @@ function admin_created_user_email( $text ) {
  *
  * @since 5.6.0
  * @since 6.2.0 Allow insecure HTTP connections for the local environment.
- * @since 6.3.2 Validates the success and reject URLs to prevent `javascript` pseudo protocol from being executed.
+ * @since 6.3.2 Validates the success URL to prevent `javascript` pseudo protocol from being executed.
+ * @since x.y.z A reject URL is no longer supported or used.
  *
  * @param array   $request {
  *     The array of request data. All arguments are optional and may be empty.
  *
  *     @type string $app_name    The suggested name of the application.
  *     @type string $app_id      A UUID provided by the application to uniquely identify it.
  *     @type string $success_url The URL the user will be redirected to after approving the application.
- *     @type string $reject_url  The URL the user will be redirected to after rejecting the application.
  * }
  * @param WP_User $user The user authorizing the application.
  * @return true|WP_Error True if the request is valid, a WP_Error object contains errors if not.
@@ -664,16 +664,6 @@ function wp_is_authorize_application_password_request_valid( $request, $user ) {
 		}
 	}
 
-	if ( isset( $request['reject_url'] ) ) {
-		$validated_reject_url = wp_is_authorize_application_redirect_url_valid( $request['reject_url'] );
-		if ( is_wp_error( $validated_reject_url ) ) {
-			$error->add(
-				$validated_reject_url->get_error_code(),
-				$validated_reject_url->get_error_message()
-			);
-		}
-	}
-
 	if ( ! empty( $request['app_id'] ) && ! wp_is_uuid( $request['app_id'] ) ) {
 		$error->add(
 			'invalid_app_id',
diff --git a/tests/phpunit/tests/admin/Admin_Includes_User_WpIsAuthorizeApplicationPasswordRequestValid_Test.php b/tests/phpunit/tests/admin/Admin_Includes_User_WpIsAuthorizeApplicationPasswordRequestValid_Test.php
@@ -52,24 +52,12 @@ public function data_is_authorize_application_password_request_valid() {
 				'env'                 => $environment_type,
 			);
 
-			$datasets[ $environment_type . ' and a "https" scheme "reject_url"' ] = array(
-				'request'             => array( 'reject_url' => 'https://example.org' ),
-				'expected_error_code' => '',
-				'env'                 => $environment_type,
-			);
-
 			$datasets[ $environment_type . ' and an app scheme "success_url"' ] = array(
 				'request'             => array( 'success_url' => 'wordpress://example' ),
 				'expected_error_code' => '',
 				'env'                 => $environment_type,
 			);
 
-			$datasets[ $environment_type . ' and an app scheme "reject_url"' ] = array(
-				'request'             => array( 'reject_url' => 'wordpress://example' ),
-				'expected_error_code' => '',
-				'env'                 => $environment_type,
-			);
-
 			$datasets[ $environment_type . ' and a "http" scheme "success_url"' ] = array(
 				'request'             => array( 'success_url' => 'http://example.org' ),
 				'expected_error_code' => 'local' === $environment_type ? '' : 'invalid_redirect_scheme',
