In legacy, there is a check that allows redirects only to hosts defined (whitelisted) in the site.ini. It was introduced in the following commit: https://github.com/ezsystems/ezpublish-legacy/commit/63ac69894d3542d7e907a6f4f556f8b368637f11.
This improvement aims at allowing redirection to hosts defined using Wildcard URL Aliases without explicitly whitelisting them in the configuration.

Original ticket description:

If a redirect is comming of the url wirldcards module, you don't have to check the host. This is too much effort to put every host also into the site.ini.

Based on this commit we would like an improvement for excluding url wildcards out of this, if it's the case. Something like this (but we still don't have an idea where is the better position to check if the redirect is from url wildcard module, in this case the variable $fromUrlWildcardModule):

         if ( strlen( $originalURI ) != 0 and
              strlen( $uri ) == 0 )
             $uri = '/';

        $urlComponents = parse_url( $uri );
        if ( isset( $urlComponents['host'] ) && $urlComponents['host'] !== eZSys::hostname() )
        {
// +++++++++HERE IS THE WORKAROUND
+            if (!$fromUrlWildcardModule) {
                $allowedHosts = $this->getAllowedRedirectHosts();
                if ( !isset( $allowedHosts[$urlComponents['host']] ) )
                {
                    // Non-authorized host, return only the URI (without host) + query string and fragment if present.
                    eZDebug::writeError( "Redirection requested on non-authorized host '{$urlComponents['host']}'" );
                    header( $_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden' );
                    echo "Redirection requested on non-authorized host";
                    eZDB::checkTransactionCounter();
                    eZExecution::cleanExit();
+                }
// +++++++++} // END
        }

Thanks in advance.