@bitquark reported a low-risk open redirect on GitHub.com. Rails code such as
redirect_to :back could be exploited to redirect a user to an arbitrary location if they were first forwarded to GitHub via a malicious site.
We addressed the behavior by limiting the locations passed via
Referer headers that we allow to be used for redirection.