HTTPS to HTTP redirect detection doesn't account for relative URIs in the Location header

[GGG-KILLER]

Originally found in actions/setup-dotnet#110.

When fetching a shell script from the URL https://dot.net/v1/dotnet-install.sh in a test using @actions/http-client, there are 2 redirects involved:

1. A 301 redirect from https://dot.net/v1/dotnet-install.sh to https://dotnet.microsoft.com/download/dotnet-core/scripts/v1/dotnet-install.sh;
2. A 302 redirect from https://dotnet.microsoft.com/download/dotnet-core/scripts/v1/dotnet-install.sh to /download/dotnet/scripts/v1/dotnet-install.sh.

The second redirect fails with the following message:

Redirect from HTTPS to HTTP protocol. This downgrade is not allowed for security reasons. If you want to allow this behavior, set the allowRedirectDowngrade option to true.

However, there are no redirects from HTTPS to HTTP, just a redirect to a relative URI (which should preserve the HTTPS protocol).

The issue seems to be located in the following if:

http-client/index.ts

Lines 386 to 390 in edadda1

	if (
	parsedUrl.protocol == 'https:' &&
	parsedUrl.protocol != parsedRedirectUrl.protocol &&
	!this._allowRedirectDowngrade
	) {