Whether url is safe to fetch for OAuth/discovery: it MUST use the https
scheme, OR target an explicit loopback host (localhost, 127.0.0.1,
[::1], and their numeric encodings) over http for local development.
Plaintext http to any other host is rejected, as are URLs whose host is a
private/link-local IPv4 or IPv6 literal (including alternate numeric IPv4
encodings and IPv4-mapped/compatible IPv6). Purely lexical (no DNS): it is a
coarse pre-filter on the attacker-influenced resource_metadata URL. The
authoritative, TOCTOU-safe SSRF guard for an actual fetch is
secureRequestHTTP, which resolves, classifies and pins via the connector.
Whether url is safe to fetch for OAuth/discovery: it MUST use the https scheme, OR target an explicit loopback host (localhost, 127.0.0.1, [::1], and their numeric encodings) over http for local development. Plaintext http to any other host is rejected, as are URLs whose host is a private/link-local IPv4 or IPv6 literal (including alternate numeric IPv4 encodings and IPv4-mapped/compatible IPv6). Purely lexical (no DNS): it is a coarse pre-filter on the attacker-influenced resource_metadata URL. The authoritative, TOCTOU-safe SSRF guard for an actual fetch is secureRequestHTTP, which resolves, classifies and pins via the connector.