[userbinator]

Open redirects are also used to prevent referrers from propagating through. In that sense, they're very useful for anonymisation.

[amenghra]

You have never needed an open redirect for that (just an internal redirect page).

In the past, one solution was to HMAC the destination URL with a time component (i.e. the redirect is only valid for a short period of time).

Today, you can check the origin header when your user lands on the redirect page or just tell the browser what information you want in the referrer (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Re...).

[chrismorgan]

I really, really hate such things: they’re no longer at all necessary (see referrer-policy), and they clutter up browser history with an extraneous entry every time.

[trumped]

there are many browser extensions to spoof or disable your referrer

[userbinator]

The point is for the site owner to prevent it from showing up in the referer logs of other sites, regardless of browser.

[trumped]

I wish every site would do that... but they like to do the opposite