net/http: `CrossOriginProtection` insecure bypass patterns not limited to exact matches [1.25 backport]

[gopherbot]

@FiloSottile requested issue #75054 to be considered for backport to the next 1.25 minor release.

We decided to fix this as a PUBLIC track security issue, since it's potentially surprising security-related behavior.

@gopherbot please backport to Go 1.25.

[gopherbot]

Change https://go.dev/cl/699276 mentions this issue: [release-branch.go1.25] net/http: require exact match for CrossSiteProtection bypass patterns

[rolandshoemaker]

Approving as a security relevant backport with little danger.

[gopherbot]

Closed by merging CL 699276 (commit b1959cf) to release-branch.go1.25.