diff --git a/client/karma.js b/client/karma.js
index 64264d1d0..b5a6f76b4 100644
--- a/client/karma.js
+++ b/client/karma.js
@@ -239,6 +239,9 @@ function Karma (updater, socket, iframe, opener, navigator, location, document)
       self.updater.updateTestStatus('complete')
     }
     if (returnUrl) {
+      if (!/^https?:\/\//.test(returnUrl)) {
+        throw new Error(`Security: Navigation to ${returnUrl} was blocked to prevent malicious exploits.`)
+      }
       location.href = returnUrl
     }
   }
diff --git a/static/karma.js b/static/karma.js
index b88001881..7d7e49a97 100644
--- a/static/karma.js
+++ b/static/karma.js
@@ -249,6 +249,9 @@ function Karma (updater, socket, iframe, opener, navigator, location, document)
       self.updater.updateTestStatus('complete')
     }
     if (returnUrl) {
+      if (!/^https?:\/\//.test(returnUrl)) {
+        throw new Error(`Security: Navigation to ${returnUrl} was blocked to prevent malicious exploits.`)
+      }
       location.href = returnUrl
     }
   }