Thanks for this list. I will be reviewing our site at whalepath.com to make sure we are not vulnerable.

btw, linkedin has implemented a number of the counter measures listed in:

* static redirects

* checking that the redirect listed is the same for all calls.

* fast expiration of code.