The current check to ensure that only absolute paths are accepted
fails to take into account scheme-relative URLs like "//foo.com".

These URLs end up in fixupURL and get the origin prepended to them
to something like "https://origin.example.com//foo.com", which is
invalid but still follows our same-origin restrictions.

So the solution is to require that the character after the leading
slash be anything but a slash.