diff --git a/app/scripts/phishing-detect.js b/app/scripts/phishing-detect.js
index 68c30d501..c076a74d4 100644
--- a/app/scripts/phishing-detect.js
+++ b/app/scripts/phishing-detect.js
@@ -35,6 +35,16 @@ function start() {
       params: [suspect.hostname],
       id: createRandomId(),
     });
-    window.location.href = suspect.href;
+    const redirectTarget = new URL(suspect.href, window.location.href);
+    // validate redirect url
+    const invalidProtocol = !(['https:', 'http:'].includes(redirectTarget.protocol));
+    // if in valid, show warning and abort
+    if (invalidProtocol) {
+      // we intentionally dont display to the user any potential attacker-written content here
+      console.error(`Invalid redirect url.`);
+      return;
+    };
+    // use the validated url instance
+    window.location.href = redirectTarget.href;
   });
 }