This is a specification change that will require a CSR but the compatibility impact should be low.

It is strange that URLStreamHandler::setURL throws SecurityException when a handler mismatch is detected. It would make more sense to throw IllegalArgumentException in this case.