diff --git a/public/js/icinga/loader.js b/public/js/icinga/loader.js
index a4bff4dba..c82f9411e 100644
--- a/public/js/icinga/loader.js
+++ b/public/js/icinga/loader.js
@@ -242,6 +242,10 @@
         loadUrl: function (url, $target, data, method, action, autorefresh, progressTimer, extraHeaders) {
             var id = null;
 
+            if (url.startsWith('//') || ! url.startsWith(this.baseUrl + '/')) {
+                throw new Error('URL ' + url + ' is not relative to ' + this.baseUrl);
+            }
+
             // Default method is GET
             if ('undefined' === typeof method) {
                 method = 'GET';