Mozilla Firefox file: URI Quirks
Mozilla Firefox exhibits an odd quirk when loading file: URI values that specify host components. When retrieving the data, the host portion is ignored. But when determining the origin of the data, the host is taken into account when displaying document.domain and location.host from JavaScript. RFC 1738 describes the file URL.
Download a simple demo and try it for yourself (source).
Although there are not any readily apparent attacks that can be implement from within Firefox, it suggests that there is a general confusion about the difference between what content is retrieved and how and where it is retrieved from. A quick test shows that Safari behaves the same as Firefox, but Internet Explorer attempts to treat the host as part of a UNC path. Opera treats the host as a UNC name, but Access Violates on the re-launch without host name.
Bug hunting at trust boundaries can be very fruitful.