diff --git a/moonraker/app.py b/moonraker/app.py
index a58fa06..eb1819a 100644
--- a/moonraker/app.py
+++ b/moonraker/app.py
@@ -919,4 +919,9 @@ class RedirectHandler(AuthorizedRequestHandler):
                     400, "No url argument provided")
             url = body_args['url']
             assert url is not None
+        # validate the url origin
+        auth: AuthComp = self.server.lookup_component('authorization', None)
+        if auth is None or not auth.check_cors(url.rstrip("/")):
+            raise tornado.web.HTTPError(
+                400, f"Unauthorized URL redirect: {url}")
         self.redirect(url)