Angular Server Platform SSRF Guard Found Incomplete After Missing HTTP Absolute-Form Bypass

A security gap in Angular's platform-server package leaves server-side rendering deployments exposed to Server-Side Request Forgery (SSRF) via HTTP absolute-form request targets. The vulnerability exists in the `parseUrl` function within `ServerPlatformLocation`, where a recent patch addressed protocol-relative and backslash URL bypasses but failed to account for a standard HTTP request format defined in RFC 7230.

The original fix checked whether an incoming URL string begins with a forward slash, prepending the server origin when true. However, this logic does not catch absolute-form request targets, which begin with the scheme and full hostname. When Nginx, AWS Application Load Balancer, or similar reverse proxies forward requests containing full URLs in the request line, Express receives strings like `http://evil.com/` that pass the guard because they start with `h` rather than `/`. The URL parser then correctly resolves the external domain, potentially enabling an attacker to redirect internal server requests to arbitrary hosts.

The issue specifically affects deployments using `@angular/platform-server` where the application sits behind reverse proxies that preserve or reconstruct absolute-form request targets in `req.url`. Developers relying on Angular Universal or similar SSR configurations should audit their infrastructure to determine whether incoming request URLs are normalized before reaching the application layer. While the vulnerability requires a misconfigured or non-standard proxy setup to be exploitable, the presence of this bypass in the guard logic indicates a fundamental gap in threat modeling for server-side rendering environments handling untrusted input.