Google App Engine not blocking PayPal?

Update: Marzia from the Google App Engine team responded to the post. It is a bug (and, according to yet another update on the forums, this has now been fixed).

Here's Marzia's comment:

This is a bug, and we have located the problem. There was an error in our anti-phishing protections that was blocking some specific URL domains from being fetched using the URLFetch service. This was an oversight on our part, and these specific domain restrictions will be removed in the next few days.

Great news, Marzia, thanks! :) It's definitely going to make my life easier to be able to reach PayPal from Google App Engine.

Original post follows:

You know that I am very optimistic and supportive of Google App Engine but something I read today has made me a little worried.

It appears that Google App Engine is deliberately blocking PayPal URLs. At first people thought this was due to a technical glitch, but, according to Petko D. Petkov on the Google App Engine forum, the calls succeed when using a forwarding URL (like TinyURL).

To quote Petko's post:

Apparently Google blocks URLs to paypal but with a bit of creativity we can bypass this restriction. . .

Requests to:

are blocked . . . in order to bypass them we need to change the paypal URLs to something different. For example, we can use tinyurl. . .

which is actually

If we send the post verification to that URL, we bypass the restriction

If this is true, I can't see how this move demonstrates good faith on Google's part. It doesn't seem to gel with their "do no evil" policy or, as Petko states, their championing of the open web.

So far, Google has been completely silent on this issue.

I hope that changes. And I hope this is a bug.

At the very least, someone from Google needs to explain to us why they are blocking PayPal URLs.

If this is true, it sets a dangerous precedent that should give any developer considering Google App Engine pause: Will Google use its position of power to dictate which services and web sites your applications will be able to access? We need a clear policy statement on this.

So, Google, what do you say?