A list of allowed hosts is not secure. This would allow anyone to craft a link that included a return_url that was not designated by the application.
Using the configured password URL for the authority is ok since its not user supplied data. So by default we always reject external urls just like we HTML quote data supplied in variables that could be user entered data. Return_url is usually passed in as a URL varaible so it needs to be checked for valid input.
Anyplace you are using a return_url that has been supplied by the system instead of URL variable you can use the allow_complete_url switch to allow external urls.
