While intended as a utility class to redirect to hard-coded docs from, e.g., administrative monitors' #doAct methods, it can be used more generally.

That brings with it the risk of callers to user-specified URLs, which may include non-http/https schemes. The most obvious one is javascript, but this API should just be limited to actually redirect to http/https. All other values should not result in the actual redirect, but perhaps a page resembling the @RequirePOST placeholder page, with a security warning.

(Not a vulnerability. The vulnerability would be in the callers, of which there are none that aren't redirecting to hard-coded URLs. But still not a safe design.)