Perform more complex checking of callback URLs
Protocol of the callback URL is allowed to be upgraded from http to
https, but not downgraded from https to http.
Rather than a simple prefix match, ensure that the callback strictly
matches the host of the known prefix. This prevents a theoretical
highjacking attack against registered callbacks which do not include
a path component at all (e.g. "https://example.com").
Another possible highjacking vector of adding a port when the registered
callback specifies neither a port nor a path is also disallowed. There
is one known use of this former behavior in the MediaWiki-Vagrant
OAuthAuthentication testing role that will be broken by this stricter