The initial allowed origins change disallowed the use of URL schemes other than
https; for example, a mobile client wanting to use
my-app://auth-success as the
return_url was not able to.
We’re updating the allowed origins such that any URL scheme is now accepted. However, we will explicitly disallow
data: schemes for security reasons.