Security researcher Tsubasa Iinuma reported a mechanism to violate
same-origin policy to content using data:
and view-source:
URIs
to confuse protections and bypass restrictions. This resulted in the ability to read data from cross-site URLs and local files.
In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts.