fix: mitigate allowed redirect domain bypass

[mccutchen]

Before this change, it was possible to bypass go-httpbin's allowed redirect domain configuration by passing an absolute URL without a scheme (e.g. //evil.com) to the /redirect-to endpoint.

Fixes #173.

[codecov[bot]]

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 95.04%. Comparing base (8f905de) to head (5f35430).

Additional details and impacted files

```diff @@ Coverage Diff @@ ## main #174 +/- ## ======================================= Coverage 95.04% 95.04% ======================================= Files 10 10 Lines 2179 2179 ======================================= Hits 2071 2071 Misses 74 74 Partials 34 34 ``` | [Files](https://app.codecov.io/gh/mccutchen/go-httpbin/pull/174?dropdown=coverage&src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=Will+McCutchen) | Coverage Δ | | |---|---|---| | [httpbin/handlers.go](https://app.codecov.io/gh/mccutchen/go-httpbin/pull/174?src=pr&el=tree&filepath=httpbin%2Fhandlers.go&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=Will+McCutchen#diff-aHR0cGJpbi9oYW5kbGVycy5nbw==) | `99.57% <100.00%> (ø)` | |