Parsing logic may accept hosts that are invalid to use with an https origin

[majido]

The current parsing algorithm accepts any character between '@' and space to be the host part of the origin.

However per URL spec host cannot contain certain characters:
"A forbidden host code point is U+0000 NULL, U+0009 TAB, U+000A LF, U+000D CR, U+0020 SPACE, U+0023 (#), U+0025 (%), U+002F (/), U+003A (:), U+003C (<), U+003E (>), U+003F (?), U+0040 (@), U+005B ([), U+005C (), U+005D (]), or U+005E (^)."

I think it makes sense to verify the captured host is valid before accepting it.

[samuelgoto]

Can we mark this as fixed?