Brave Software: Onion-Location header allows to open arbitrary URLs including chrome:
The "Open in Tor" feature in Brave Nightly for OSX allowed arbitrary URLs to be opened through the Onion-Location response header, including privileged URLs such as chrome://restart/. This could be exploited to bypass SOP restrictions and gain access to privileged URLs...