diff --git a/web/operator-gui/app.js b/web/operator-gui/app.js
index c4bef45..8751928 100644
--- a/web/operator-gui/app.js
+++ b/web/operator-gui/app.js
@@ -551,7 +551,11 @@ function safeUrl(value) {
 
   const url = String(value || "").trim();
 
-  if (/^https?:\/\//i.test(url) || url.startsWith("/")) {
+  // Same-origin path, but reject protocol-relative ("//host") and backslash
+  // ("/\\host") forms that browsers normalize to an external host.
+  const isSameOriginPath = url.startsWith("/") && !url.startsWith("//") && !url.startsWith("/\\");
+
+  if (/^https?:\/\//i.test(url) || isSameOriginPath) {
 
     return url;