proxy: restrict programmatic URLs to localhost (#2049)

Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>

docs/docs/topics/programmatic-access.md

@@ -23,6 +23,8 @@ $ curl "https://verify.example.com/.pomerium/api/v1/login?pomerium_redirect_uri=
 https://authenticate.example.com/.pomerium/sign_in?pomerium_redirect_uri=http%3A%2F%2Flocalhost%3Fpomerium_callback_uri%3Dhttps%253A%252F%verify.corp.example%252F.pomerium%252Fapi%252Fv1%252Flogin%253Fpomerium_redirect_uri%253Dhttp%253A%252F%252Flocalhost&sig=hsLuzJctmgsN4kbMeQL16fe_FahjDBEcX0_kPYfg8bs%3D&ts=1573262981
 ```
 
+By default only `localhost` URLs are allowed as the `pomerium_redirect_uri`. This can be customized with the `programmatic_redirect_domain_whitelist` option.
+
 ### Callback handler
 
 It is the script or application's responsibility to create a HTTP callback handler. Authenticated sessions are returned in the form of a [callback](https://developer.okta.com/docs/concepts/auth-overview/#what-kind-of-client-are-you-building) from pomerium to a HTTP server. This is the `pomerium_redirect_uri` value used to build login API's URL, and represents the URL of a (usually local) HTTP server responsible for receiving the resulting user session in the form of `pomerium_jwt` query parameters.

docs/docs/upgrading.md

@@ -5,6 +5,13 @@ description: >-
   for Pomerium. Please read it carefully.
 ---
 
+# Since 0.13.0
+
+## Breaking
+
+### Programmatic login domain whitelist
+
+Programmatic login now restricts the allowed redirect URL domains. By default this is set to `localhost`, but can be changed via the `programmatic_redirect_domain_whitelist` option.
 # Since 0.12.0
 
 ## New