=== How does this work?

The application should avoid opening URLs that are constructed with untrusted data.

When such a feature is strictly necessary, SSRF can be mitigated by applying
an allow-list of trustable schemes and domains.