Trusted URLs improvements/refactors

Just making some notes to resolve later if you don't disagree with them anyway:

• Given that the list of TRUSTED_DEFAULT_URLs can be overridden, it's probably best to handle None explicitly.
• Add backward compatibility to work with string literals and check the start of the string.