Having looked over the code, I would like to suggest that there be some way to compare the remote host in the redirects to a list of approved hosts. If there is an attempt to redirect to a host not on the approved list, then the redirect should be blocked and the user possibly warned.
My reason for making this suggestion is that a clever person could use this to redirect someone to a malicious site in an attempt to fish credentials or other personal information from them.
We can presumably trust the e-resource vendors using this feature to not do that to our users.
Having looked over the code, I would like to suggest that there be some way to compare the remote host in the redirects to a list of approved hosts. If there is an attempt to redirect to a host not on the approved list, then the redirect should be blocked and the user possibly warned.
My reason for making this suggestion is that a clever person could use this to redirect someone to a malicious site in an attempt to fish credentials or other personal information from them.
We can presumably trust the e-resource vendors using this feature to not do that to our users.