The site at the end of that URL will set a cookie. How else would such a mechanism be functional at all? A call to steams naviagtionTiming api confirming the last page load and nothing else at all? Hard to imagine a product manager agreeing to such a pointless exchange. So it cant be redirected to an ip, which I assume you mean is running its own webserver on loopback:443. It also implies the mechanism to verify allows cross site scripting, at least to that one other domain.
The site at the end of that URL will set a cookie. How else would such a mechanism be functional at all? A call to steams naviagtionTiming api confirming the last page load and nothing else at all? Hard to imagine a product manager agreeing to such a pointless exchange. So it cant be redirected to an ip, which I assume you mean is running its own webserver on loopback:443. It also implies the mechanism to verify allows cross site scripting, at least to that one other domain.