Golang net/http: CrossOriginProtection insecure bypass patterns not limited to exact matches [1.25 backport]

@FiloSottile requested issue #75054 to be considered for backport to the next 1.25 minor release.

We decided to fix this as a PUBLIC track security issue, since it's potentially surprising security-related behavior.

@gopherbot please backport to Go 1.25.

Comment From: gopherbot

Change https://go.dev/cl/699276 mentions this issue: [release-branch.go1.25] net/http: require exact match for CrossSiteProtection bypass patterns