The Wordpress code seems to do a same-host check on urls that are fetched using wp_safe_remote_get()
.
Here's the source: https://github.com/WordPress/WordPress/blob/c73a812109e1a64ecf21b6a198f949c58d1f2674/wp-includes/http.php
The significant part is the wp_http_validate_url
function, and in particular lines 524-530, which are here:
$parsed_home = @parse_url( get_option( 'home' ) );
if ( isset( $parsed_home['host'] ) ) {
$same_host = ( strtolower( $parsed_home['host'] ) === strtolower( $parsed_url['host'] ) || 'localhost' === strtolower( $parsed_url['host'] ) );
} else {
$same_host = false;
}
If $same_host
is false
, the method treats the url as not safe.
There's no whitelist that I can see. You'd probably need to edit the code to use wp_remote_get()
if you want to avoid the problem.
UPDATE: the preceding argument is wrong. The code returns the url even if the host is not the same as long as the port is normal.