Application Passwords: Allow HTTP loopback redirect URLs

This change allows HTTP redirect URLs for loopback addresses (`127.0.0.1`, `[::1]`) in `wp_is_authorize_application_redirect_url_valid()`, regardless of environment type. This aligns the application password implementation with RFC 8252 7.3.

It's worth noting that section 8.3 of the RFC recommends against allowing `localhost` as a loopback redirect, since it may be susceptible to firewall interception and DNS resolution poisoning.

Props aquarius, pento.
Fixes #57809.



git-svn-id: https://develop.svn.wordpress.org/trunk@62096 602fd350-edb4-49c9-b593-d223f7449a82