From bd51c8dd67f33f3ceb79059a1f0a27740407e3c2 Mon Sep 17 00:00:00 2001
From: Asanka Herath <asanka@chromium.org>
Date: Wed, 14 Apr 2021 16:39:47 -0400
Subject: [PATCH] Add FTP related protocols to the `registerProtocolHandler`
 safelist.

Closes #6583
---
 source | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/source b/source
index 53a123e70a7..a241eee5119 100644
--- a/source
+++ b/source
@@ -98314,6 +98314,12 @@ interface <dfn interface>Navigator</dfn> {
      <li><p>Assert: <var>inputURL</var>'s <span data-x="concept-url-scheme">scheme</span> is
      <var>normalizedScheme</var>.</p></li>
 
+     <li><p><span data-x="set the username">Set the username</span> given <var>inputURL</var> and
+     the empty string.</p></li>
+
+     <li><p><span data-x="set the password">Set the password</span> given <var>inputURL</var> and
+     the empty string.</p></li>
+
      <li><p>Let <var>inputURLString</var> be the <span
      data-x="concept-url-serializer">serialization</span> of <var>inputURL</var>.</p></li>
 
@@ -98395,6 +98401,8 @@ interface <dfn interface>Navigator</dfn> {
 
     <ul class="brief">
      <li><code data-x="">bitcoin</code></li> <!-- https://en.bitcoin.it/wiki/BIP_0021 -->
+     <li><code data-x="">ftp</code></li>
+     <li><code data-x="">ftps</code></li>
      <li><code data-x="">geo</code></li>
      <li><code data-x="">im</code></li>
      <li><code data-x="">irc</code></li>
@@ -98406,6 +98414,7 @@ interface <dfn interface>Navigator</dfn> {
      <li><code data-x="">news</code></li>
      <li><code data-x="">nntp</code></li>
      <li><code data-x="">openpgp4fpr</code></li>
+     <li><code data-x="">sftp</code></li>
      <li><code data-x="">sip</code></li>
      <li><code data-x="">sms</code></li>
      <li><code data-x="">smsto</code></li>
@@ -98495,14 +98504,6 @@ interface <dfn interface>Navigator</dfn> {
   allowing administrators to disable custom handlers on certain subdomains, content types, or
   schemes.</p>
 
-  <p><strong>Leaking credentials.</strong> User agents must never send username or password
-  information in the URLs that are escaped and included sent to the handler sites. User agents may
-  even avoid attempting to pass to web-based handlers the URLs of resources that are known to
-  require authentication to access, as such sites would be unable to access the resources in
-  question without prompting the user for credentials themselves (a practice that would require the
-  user to know whether to trust the third-party handler, a decision many users are unable to make or
-  even understand).</p>
-
   <p><strong>Interface interference.</strong> User agents should be prepared to handle intentionally
   long arguments to the methods. For example, if the user interface exposed consists of an "accept"
   button and a "deny" button, with the "accept" binding containing the name of the handler, it's
@@ -127503,6 +127504,7 @@ INSERT INTERFACES HERE
   Arthur Stolyar,
   Arun Patole,
   Aryeh Gregor,
+  Asanka Herath,
   Asbj&oslash;rn Ulsberg,
   Ashley Gullen,
   Ashley Sheridan,