-
Firefox requires being able to load chrome:// and resource:// URLs for things like the media player, with the origin set to the remote URL that triggered the load. This is unfortunate in that there's no way to disambiguate malicious JS versus someone opening a video file (for example). See https://trac.torproject.org/projects/tor/ticket/19837#comment:5 for why this is a huge nightmare and will eventually require C++ code.
61b395a4