Feature request: Add otpauth as a safelisted scheme for protocol registration handling

[JakeChampion]

Section of the spec this relates to --> https://html.spec.whatwg.org/multipage/webappapis.html#safelisted-scheme

Description of problem:
I have a web application which handles storing and generating time-based one-time-passwords (TOTP). Most services which implement multi-factor authentication (MFA/2FA) surface the otpauth link as a QR-code for the user to scan. I would like to register my web application to handle these links, much like native applications can such as Google Authenticator and Authy.

Solution:
Add otpauth to the safelisted scheme list, this will mean user-agents will no longer throw a "SecurityError" DOMException.

This is the change I would like to make:

 - bitcoin
 - geo
 - im
 - irc
 - ircs
 - magnet
 - mailto
 - mms
 - news
 - nntp
 - openpgp4fpr
+- otpauth
 - sip
 - sms
 - smsto
 - ssh
 - tel
 - urn
 - webcal
 - wtai
 - xmpp

[domenic]

Closing per #2205 (comment)

[fred-wang]

It seems there is new interest to extend the whitelist by browser vendors. Is there still community interest to add otpauth?

[JakeChampion]

Yes, I am still very interesting in having otpauth work for my PWA

[TheHllm]

Yes of course there is interest for that.
I would also like to add that regardless of interest otpauth should be added, as i do not see any new risks in doing so.
Even with out this tricking a user into giving away their topt/hotp secret by scanning a qr code via a website / having them enter the information is not much harder (in terms of permission requests etc. that a user would have to (in most brwosers) accept).

[fred-wang]

@JakeChampion @TheHllm Per discussion on #5482 (comment) one of the proposal is to ensure they are registered at https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml which does not seem to be the case right now. If you can help on this, that would be great.