Remove Chrome JS direct vectors to arbitrary machine code
We should consider patching Firefox to remove ways that extension-level JS can execute machine code.
Right now, this includes jsctypes, any ways there might be to load an binary XPCOM component from a DLL at runtime (these may have been removed with Firefox 4+'s new-style component registration), and maybe the ability to launch apps from JS XPCOM.
I contend this doesn't make much sense to do until we have functional sandboxes, though, because simply the ability read and write arbitrary files can be used to bootstrap arbitrary code exec eventually.
It will also break addons that try to use this functionality. Most notably, Moxie's Convergence relies on jsctypes.
However, once sandboxes are deployed, removing these features will block the ability of UXSS exploits to directly attack certain system calls. This will raise the bar for sandbox breakout for these types of bugs.