cc @mikewest

Step 3 of [1] refers to [2] which treats URL’s origin as opaque if the scheme is not one of "blob", "ftp", "http", "https", "ws", "wss", "file". This means that when [2] is called, it will returned immediately because of step 1.

Unless we want to modify the HTML5 spec, [1] should probably say the origin is non-opaque if "scheme component is one which the user agent considers to be authenticated", so that the algo can continue until step 7 of [2].

For example Chrome adds (at least) "filesystem:" and "quicktransport:": https://source.chromium.org/chromium/chromium/src/+/master:url/url_util.cc;l=34;drc=9d93b04dae6a8f145c266f680b14fa52c99c5b76

(incidentally, the mention of filesystem: in the note of [1] is weird since it's not mentioned in https://url.spec.whatwg.org/#concept-url-origin)

[1] https://w3c.github.io/webappsec-secure-contexts/#is-url-trustworthy
[2] https://url.spec.whatwg.org/#concept-url-origin
[3] https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy