The redirect I found on https://www.google.com seems like it did have a whitelist. Luckily youtube.com was on the whitelist, so I could re-use the exploit from there. So even whitelists aren't totally safe (and YouTube isn't using the redirect for known friendly sites - seems to be more for tracking purposes).
No comments yet.