I'm voting against completely disabling XHR to file://, it is very useful for locally debugging RIAs.
My case is ExtJS-based RIA. While debugging I use a feature of automatic loading based on classes 'requires' definition (ofc, I pack it before deploying). This way I get all the files (see file-origin-Debugger.png), not mangled in the Debugger panel of DevTools. From here I can easily navigate to one of the 500 classes by invoking Ctrl+P (go to file) instead of looking through all the usages with Ctrl+Shift+F (find in files). More over, I don't need to wait while Debugger parses (additionally) source maps or formats 100k+ lines file.
However, even when all files are cached it takes 8-9 seconds for i5-7300HQ+NVMe to reload! (See file-load-localhost, web server is NginX). In contrast to less than a second when loading from file:// (see file-loading-file, second timestamp is output after motd request).
Of course, this is a niche approach, you can't do that with node_modules yet.
With file:// cache is not an issue any more too: no force reloading what has not changed, no confusion why the changes are not there (though must-revalidate might help, but that's additional configuration I must not forget to add in the new project).
As for an ability to run XHRs to file://: this project wants to load a sibling motd file and the other is loading a required sibling JSON file with some runtime configuration.
So, please keep a property to support file:// XHRs.
Do I understand correctly, that
security.fileuri.strict_origin_policy allows to XHR-access files outside the HTML file's directory? And the now-removed
privacy.file_unique_origin controlled XHR access to sibling files and directories? If so, my vote is to return
privacy.file_unique_origin instead of retaining
security.fileuri.strict_origin_policy. Bug 1665056 says
security.fileuri.strict_origin_policy is used to share top-level directory resources when testing Firefox itself. Maybe test suits could use
privacy.file_unique_origin after symlinking those resources as siblings?
P.S. PACE on screenshots is not Parliamentary Assembly of the Council of Europe. ☺