Link opened in new tab can load a local file — Mozilla

Links with a custom getter and toString method can bypass checks intended to prevent web content from linking to local files and "chrome" URIs if the user can be convinced to middle-click or control-click to open it in a new tab. The browser's "same-origin" policy prevents the attacker's content...