Someone (I believe RSnake) pointed out that many browser machines have PDF files in predictable locations that can be accessed via file:// links. That lets an attacker gain local javascript execution. At one point Firefox had a rule restricting http:// and https:// web pages from accessing file:// links. Does that rule still exist, and if so does it mitigate the risk posed to firefox users? Regards, Brian