Redirect hardening breaks Form::redirect for external URLs

[thomasvantuycom]

Bug description

The redirect security hardening introduced in #14099 appears to break form-specific redirects using Form::redirect, which was added in #8729.

Currently, redirects to external URLs are blocked. While this makes sense from a security perspective, it also prevents legitimate use cases—such as redirecting to external payment providers—where Form::redirect is intentionally used.

Would it be possible to adjust the redirect logic to distinguish between:

• explicitly defined redirects via Form::redirect, and
• user-controlled input (e.g. _redirect) coming from the front end?

This distinction could allow trusted, developer-defined redirects to external URLs while still protecting against injection-based attacks.

How to reproduce

1. Create a form that uses Form::redirect to an external URL
2. Submit the form from the front end
3. Observe the redirect behavior

Logs

Environment

Environment
Application Name: Statamic
Laravel Version: 13.1.1
PHP Version: 8.3.27
Composer Version: 2.9.3
Environment: local
Debug Mode: ENABLED
URL: statamic-addons.ddev.site
Maintenance Mode: OFF
Timezone: UTC
Locale: en

Cache
Config: NOT CACHED
Events: NOT CACHED
Routes: NOT CACHED
Views: CACHED

Drivers
Broadcasting: log
Cache: file
Database: mariadb
Logs: stack / single
Mail: smtp
Queue: sync
Session: file

Storage
public/storage: NOT LINKED

Statamic
Addons: 1
Sites: 1
Stache Watcher: Enabled (auto)
Static Caching: Disabled
Version: 6.7.1 Solo

Statamic Addons
thomasvantuycom/statamic-mollie: dev-main

Installation

Fresh statamic/statamic site via CLI

Additional details

No response