See also bug 371923 and bug 305692. This is mostly an XSS hazard, since most users don't load chrome documents often (right?).
The summary just wants a pref and does not say what the default is, on or off. Comment 0 suggests off, but allowing in-page references to load. Comment 1 says the threat is not chrome: privs (mostly). What's the threat and how does a pref help? If the threat is real, why give a pref even to enable the attack (default off), instead of providing a defense so we can avoid yet another pref? /be
For data: URLs, fixing bug 656823 would be better.
Is this WONTFIX now? /be
Yes. I don't think a pref is the answer here.