It was brought up during the latest postMessage patching in Mozilla that the HTML5-mandated origin for file: URIs groups all local file system pages into a single origin. Pages are increasingly being used in application-like contexts, and if Java is any example, grouping all files into the same origin will eventually be problematic (if one even chooses to argue it isn't now). (Firefox 3's postMessage will be intentionally non-conforming with respect to file: pages in that sending a message to a file: page will only work if you use "*" as the targetOrigin, in the interests of not having different security behaviors.)
Firefox 3 changes from an all-files-are-same-origin model to a contains-based model, roughly this in at least some cases: a file may load any file which is a sibling of it, and it may load any file which is a descendant of the file's parent directory. I'm certain I'm horribly mangling what actually happens in practice in at least some situations, based on what I've read of the security comparison functions, but this is at least a start at describing the behavior for specification. The original bug was <https://bugzilla.mozilla.org/show_bug.cgi?id=230606>, but follow dependencies and read comments to see what sort of issues were actually encountered in practice and couldn't be ignored without breaking wide swathes of content. Jeff -- Life would be so much easier if humans had a natural affinity for remembering 128-bit integers.
