add security note about accessing urls

[gregsdennis]

What kind of change does this PR introduce?

clarification

Issue & Discussion References

• Closes Security considerations should mention treating URIs as URLs (from $ref and $schema) #1231

Summary

Adds a security note about performing network operations when encountering URLs.

The last sentence in the addition was taken directly from @awwright's comment in the issue.

Does this PR introduce a breaking change?

no

[jdesrosiers]

This doesn't mention any security considerations. It's a requirement that we made for security reasons, but it's not a security consideration itself.

We could talk about the security considerations that led to that decision, but that feels out-of-place to me. This section should be about things implementers need to consider and protect against. It's not supposed to be a place for us to justify decisions we made for security reasons.

Because this requirement is a "SHOULD" and not a "MUST", we could talk about the security considerations that implementers who chose to support that kind of retrieval need to be aware of. That's the only way I think this makes sense.