The initial allowed origins change disallowed the use of URL schemes other than http and https; for example, a mobile client wanting to use my-app://auth-success as the return_url was not able to.
We’re updating the allowed origins such that any URL scheme is now accepted. However, we will explicitly disallow javascript: and data: schemes for security reasons.