diff --git a/core/includes/common.inc b/core/includes/common.inc
index 0f252ca..575e286 100644
--- a/core/includes/common.inc
+++ b/core/includes/common.inc
@@ -683,8 +683,10 @@ function drupal_encode_path($path) {
  */
 function drupal_goto($path = '', array $options = array(), $http_response_code = 302) {
   // A destination in $_GET always overrides the function arguments.
-  // We do not allow absolute URLs to be passed via $_GET, as this can be an attack vector.
-  if (isset($_GET['destination']) && !url_is_external($_GET['destination'])) {
+  // We do not allow absolute URLs to be passed via $_GET, as this can be an attack vector, with the following exception:
+  // - absolute URLs that have their domain equal to the base URL of this site are allowed
+  if (isset($_GET['destination']) && 
+      (!url_is_external($_GET['destination']) || parse_url($_GET['destination'], PHP_URL_HOST) == parse_url($GLOBALS['base_url'], PHP_URL_HOST))) {
     $destination = drupal_parse_url($_GET['destination']);
     $path = $destination['path'];
     $options['query'] = $destination['query'];