Comment 10 for bug 1440958

In theory, relaxing the exact match makes us vulnerable to an attack if this functionality is used with a dashboard that allows unvalidated redirects.

Could a user spoof this by setting the dashboard URL to something like: http://dashboard/redirect?url=http://hacked_site ?

And if they can what could they steal?