feat: include CSRF_TRUSTED_ORIGINS in callback URL validation is_safe_url

Co-authored-by: VHS <listas.vhs@gmail.com>
Co-committed-by: VHS <listas.vhs@gmail.com>

Author: vhsantos

allauth/account/adapter.py

@@ -587,6 +587,13 @@ def is_safe_url(self, url):
         # get_host already validates the given host, so no need to check it again
         allowed_hosts = {context.request.get_host()} | set(settings.ALLOWED_HOSTS)
 
+        # Include hosts derived from CSRF_TRUSTED_ORIGINS
+        trusted_hosts = {
+            urlparse(origin).netloc for origin in settings.CSRF_TRUSTED_ORIGINS
+        }
+        allowed_hosts.update(trusted_hosts)
+
+        # Handle wildcard case
         if "*" in allowed_hosts:
             parsed_host = urlparse(url).netloc
             allowed_host = {parsed_host} if parsed_host else None