Images from all mojang subdomains can still be sent as valid skull URLs.

My test case for this was http://minecon.mojang.com/images/sky.png . There's still a failure to validate image size, allowing any image mojang has ever posted on *.mojang.com or *.minecraft.net to be sent. This could potentially result in the exact same security issues that I mentioned in MC-79152. There should be size validation as well as URL whitelist validation to ensure that the skin sent is in fact a valid skin, not Mojang's favicon or another random image from either whitelisted site.