<!--- Please read this! **NOTE**: Please check https://gitlab.com/gitlab-org/gitlab/-/issues/331699 if you had issues upgrading to 14.0+ Before opening a new issue, make sure to search for keywords in the issues (including closed ones) - https://gitlab.com/gitlab-org/gitlab-pages/issues and verify the issue you're about to submit isn't a duplicate. ---> ### Summary <!-- Summarize the bug encountered concisely. --> GitLab pages can be used to redirect to arbitrary protocols in the authentication flow. ### Steps to reproduce <!-- Describe how one can reproduce the issue - this is very important. Please use an ordered list. --> Consider the following URL: ``` https://projects.gitlab.io/auth?domain=mailto://gitlab-com.gitlab.io?body=OMGWTF&state=aaa ``` It will, after the login redirect to `gitlab.com` redirect the user to their mail client.  This might be potentially used e.g. on mobile devices to exfiltrate authentication token via custom URL handler. ### Example Project <!-- If possible, please create an example project here on GitLab.com that exhibits the problematic behavior, and link to it here in the bug report. If you are using an older version of GitLab, this will also determine whether the bug is fixed in a more recent version. --> ### What is the current *bug* behavior? <!-- Describe what actually happens. --> Redirect to arbitrary protocols is possible. ### What is the expected *correct* behavior? Redirect should only be possible to `https` or `http` URLs. <!-- Describe what you should see instead. --> ### Relevant logs and/or screenshots <!-- Paste any relevant logs - please use code blocks (```) to format console output, logs, and code as it's tough to read otherwise. --> ### Output of checks <!-- If you are reporting a bug on GitLab.com, write: This bug happens on GitLab.com --> ### Possible fixes <!-- If you can, link to the line of code that might be responsible for the problem. --> <!-- DO NOT CHANGE -->