The trick is to use a vertical tab (`%09`) and then place another URL in the tag. So once a victim clicks the link on the error page, she will go somewhere else.

As you can see, the browser changes the destination from relative / to an absolute url The exploit is `http://domain.tld/%09//otherdomain.tld`

Here's the httpd configuration to reproduce the behavior:

    <Location />
        ProxyPass connectiontimeout=1 timeout=2
        Order allow,deny
        Allow from all

# [2019-12-03]  #