Comment by hunter2_

> also with the browser

Browsers have been doing this forever: you make a request to a server (A) that you choose to interact with, and it could respond with various things (a redirect, a page with a meta refresh, a page with a frame / iframe, etc.) that result in your browser automatically making a request (and rendering the resulting page response) to some other server (B) that could get you in trouble.

However, in this classic scenario, when A starts sending you to B, you stop trusting A. This is simple when A's behavior is entirely determined by A's owner. What if it's determined by other users (not just A's owner)? Typically, A would be careful to not serve a redirect (etc.) based on user input, as that would be considered an "open redirect" vulnerability (with an exception for link shorteners, I guess). Interesting how the webview preloading that we're discussing now commits essentially this same offense.