Add FTP related protocols to the registerProtocolHandler safelist.

Closes #6583

source

@@ -2363,6 +2363,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
      </li>
      <li><dfn data-x-href="https://url.spec.whatwg.org/#valid-url-string">valid URL string</dfn></li>
      <li>The <dfn data-x-href="https://url.spec.whatwg.org/#cannot-have-a-username-password-port">cannot have a username/password/port</dfn> concept</li>
+     <li>The <dfn data-x="concept-url-includes-credentials" data-x-href="https://url.spec.whatwg.org/#include-credentials">includes credentials</dfn> concept</li>
      <li>The <dfn data-x-href="https://url.spec.whatwg.org/#url-opaque-path">opaque path</dfn> concept</li>
      <li><dfn data-x="concept-url-serializer" data-x-href="https://url.spec.whatwg.org/#concept-url-serializer">URL serializer</dfn> and its
          <dfn data-x="url serializer exclude fragment" data-x-href="https://url.spec.whatwg.org/#url-serializer-exclude-fragment">exclude fragment</dfn> argument</li>
@@ -98314,6 +98315,19 @@ interface <dfn interface>Navigator</dfn> {
      <li><p>Assert: <var>inputURL</var>'s <span data-x="concept-url-scheme">scheme</span> is
      <var>normalizedScheme</var>.</p></li>
 
+     <li>
+      <p>If <var>inputURL</var> <span data-x="concept-url-includes-credentials">includes
+      credentials</span> then:</p>
+
+      <ol>
+       <li><p><span data-x="set the username">Set the username</span> given <var>inputURL</var> and the
+       empty string.</p></li>
+
+       <li><p><span data-x="set the password">Set the password</span> given <var>inputURL</var> and
+       the empty string.</p></li>
+      </ol>
+     </li>
+
      <li><p>Let <var>inputURLString</var> be the <span
      data-x="concept-url-serializer">serialization</span> of <var>inputURL</var>.</p></li>
 
@@ -98395,6 +98409,8 @@ interface <dfn interface>Navigator</dfn> {
 
     <ul class="brief">
      <li><code data-x="">bitcoin</code></li> <!-- https://en.bitcoin.it/wiki/BIP_0021 -->
+     <li><code data-x="">ftp</code></li>
+     <li><code data-x="">ftps</code></li>
      <li><code data-x="">geo</code></li>
      <li><code data-x="">im</code></li>
      <li><code data-x="">irc</code></li>
@@ -98406,6 +98422,7 @@ interface <dfn interface>Navigator</dfn> {
      <li><code data-x="">news</code></li>
      <li><code data-x="">nntp</code></li>
      <li><code data-x="">openpgp4fpr</code></li>
+     <li><code data-x="">sftp</code></li>
      <li><code data-x="">sip</code></li>
      <li><code data-x="">sms</code></li>
      <li><code data-x="">smsto</code></li>
@@ -98495,14 +98512,6 @@ interface <dfn interface>Navigator</dfn> {
   allowing administrators to disable custom handlers on certain subdomains, content types, or
   schemes.</p>
 
-  <p><strong>Leaking credentials.</strong> User agents must never send username or password
-  information in the URLs that are escaped and included sent to the handler sites. User agents may
-  even avoid attempting to pass to web-based handlers the URLs of resources that are known to
-  require authentication to access, as such sites would be unable to access the resources in
-  question without prompting the user for credentials themselves (a practice that would require the
-  user to know whether to trust the third-party handler, a decision many users are unable to make or
-  even understand).</p>
-
   <p><strong>Interface interference.</strong> User agents should be prepared to handle intentionally
   long arguments to the methods. For example, if the user interface exposed consists of an "accept"
   button and a "deny" button, with the "accept" binding containing the name of the handler, it's
@@ -127503,6 +127512,7 @@ INSERT INTERFACES HERE
   Arthur Stolyar,
   Arun Patole,
   Aryeh Gregor,
+  Asanka Herath,
   Asbj&oslash;rn Ulsberg,
   Ashley Gullen,
   Ashley Sheridan,