Restrict (un)registerProtocolHandler to secure contexts

Fixes #5068. Fixes #4017.

This also clarifies the example about leaking private data, which made
less sense after b143dbc.

source

@@ -94998,8 +94998,8 @@ interface <dfn>Navigator</dfn> {
   <h5 id="custom-handlers">Custom scheme handlers: the <code data-x="dom-navigator-registerProtocolHandler">registerProtocolHandler()</code> method</h5>
 
   <pre><code class="idl" data-x="">interface mixin <dfn>NavigatorContentUtils</dfn> {
-  void <span data-x="dom-navigator-registerProtocolHandler">registerProtocolHandler</span>(DOMString scheme, USVString url, DOMString title);
-  void <span data-x="dom-navigator-unregisterProtocolHandler">unregisterProtocolHandler</span>(DOMString scheme, USVString url);
+  [SecureContext] void <span data-x="dom-navigator-registerProtocolHandler">registerProtocolHandler</span>(DOMString scheme, USVString url, DOMString title);
+  [SecureContext] void <span data-x="dom-navigator-unregisterProtocolHandler">unregisterProtocolHandler</span>(DOMString scheme, USVString url);
 };</code></pre>
 
   <p>The <dfn><code
@@ -95246,7 +95246,7 @@ interface <dfn>Navigator</dfn> {
 
   <h6>Security and privacy</h6>
 
-  <p>These mechanisms can introduce a number of concerns, in particular privacy concerns.</p>
+  <p>Custom scheme handlers can introduce a number of concerns, in particular privacy concerns.</p>
 
   <p><strong>Hijacking all Web usage.</strong> User agents should not allow schemes that are key to
   its normal operation, such as an <span>HTTP(S) scheme</span>, to be rerouted through third-party
@@ -95266,7 +95266,7 @@ interface <dfn>Navigator</dfn> {
   handle such hostile attempts, protecting the user.</p>
 
   <p><strong>Misleading titles.</strong> User agents should not rely wholly on the <var>title</var>
-  argument to the methods when presenting the registered handlers to the user, since sites could
+  argument to the method when presenting the registered handlers to the user, since sites could
   easily lie. For example, a site <code data-x="">hostile.example.net</code> could claim that it was
   registering the "Cuddly Bear Happy Scheme Handler". User agents should therefore use the handler's
   origin in any UI along with any title.</p>
@@ -95276,27 +95276,13 @@ interface <dfn>Navigator</dfn> {
   in such strings are not executed, that null bytes are properly handled, that over-long strings do
   not cause crashes or buffer overruns, and so forth.</p>
 
-  <p><strong>Leaking Intranet URLs.</strong> The mechanism described in this section can result in
-  secret Intranet URLs being leaked, in the following manner:</p>
-
-  <ol>
-
-   <li>The user registers a third-party scheme handler as the default handler for a scheme.</li>
-
-   <li>The user then browses their corporate Intranet site and accesses a URL that uses that
-   scheme.</li>
-
-   <li>The user agent contacts the third party and hands the third party the URL to the Intranet
-   content.</li>
-
-  </ol>
-
-  <p>No actual confidential file data is leaked in this manner, but the URLs themselves could
-  contain confidential information. For example, the URL could be <code
-  data-x="">https://www.corp.example.com/upcoming-aquisitions/the-sample-company.egf</code>, which
-  might tell the third party that Example Corporation is intending to merge with The Sample Company.
-  Implementors might wish to consider allowing administrators to disable this feature for certain
-  subdomains, content types, or schemes.</p>
+  <p><strong>Leaking private data.</strong> Web page authors may reference a custom scheme
+  handler using URL data considered private. They might do so with the expectation that the user's
+  choice of handler points to a page inside the organization, ensuring that sensitive data will not
+  be exposed to third parties. However, a user may have registered a handler pointing to an
+  external site, resulting in a data leak to that third party. Implementors might wish to consider
+  allowing administrators to disable custom handlers on certain subdomains, content types, or
+  schemes.</p>
 
   <p><strong>Leaking credentials.</strong> User agents must never send username or password
   information in the URLs that are escaped and included sent to the handler sites. User agents may