Any sub domains of minecraft.net and mojang.com are considered valid skin hosts

The bug

The method com.mojang.authlib.yggdrasil.YggdrasilMinecraftSessionService.isWhitelistedDomain(String) considers any sub domains of minecraft.net and mojang.com valid skin hosts. This allows for example to download attachments from the bug tracker since the URL would be https://bugs.mojang.com/secure/attachment/. Since moderators and developers here might not be able to remove all malicious files or some might be disguised this could cause problems.

Additionally the protocol is not checked, instead only the cast to HttpURLConnection in net.minecraft.client.renderer.ThreadDownloadImageData.loadTextureFromServer().new Thread() {...}.run() prevents using other protocols (by accident?).

How to reproduce

Use the following command

/setblock ~ ~ ~ skull default replace {Owner:{Id:"0-0-0-0-0",Properties:{textures:[{Value:"eyJ0ZXh0dXJlcyI6IHsiU0tJTiI6IHsidXJsIjogImh0dHBzOi8vYnVncy5tb2phbmcuY29tL3NlY3VyZS9hdHRhY2htZW50LzU1MTEyL3NlZXRocm91Z2glMjBnbGFzc2VzLnBuZyJ9fX0="}]}},SkullType:3b}

→ The used skin URL is https://bugs.mojang.com/secure/attachment/55112/seethrough%20glasses.png which can be seen when base 64 decoding the value