I wanted to post some test cases and results in case anyone was interested.   From a penetration testing and security perspective, registering protocol handlers and arbitrary web+ schemes introduces a new attack vector that could be abused or misused.  I'm not saying that's an abomination by any means, it's simply something else we need to be aware of when testing or writing Web applications.

A good bit of the threats have been listed at http://dev.w3.org/html5/spec/Overview.html#security-and-privacy.  I can see others relating to cross-origin issues and User Interface confusion.  For Web-apps, there's potential for data exfiltration depending on the use case and implementation details, so, it's not so much a fault of the new prefix as much as how it might be naively used.  I made some test cases that are available online at http://www.lookout.net/test/handler/ and posted my results across 20 different questions to http://web.lookout.net/2012/01/testing-registerprotocolhandler-and-web.html.  Please send any feedback my way.

Best regards,
Chris Weber