Security researcher Nicolas Golubovic reported that the
Content Security Policy (CSP) of data:
documents was not saved as
part of session restore. If an attacker convinced a victim to open a document
from a data:
URL injected onto a page, this can lead to a
Cross-Site Scripting (XSS) attack. The target page may have a strict CSP that
protects against this XSS attack, but if the attacker induces a browser crash
with another bug, an XSS attack would occur during session restoration,
bypassing the CSP on the site.