Comment 8 for bug 2048493

What release was the bug introduced in? Has it been this way since at least Zed, or did it only show up in a later release? Just trying to figure out what backports we'll need and what affected versions to list if we issue an advisory for this.

Can another Horizon reviewer give the proposed patch in comment #7 a once-over?

Since the possible exploit scenarios for this are somewhat limited by client-side security measures and safe browsing practices, I think we can proceed in public and try to get this backported to stable/2024.1 in time for the upcoming release. Does anyone have concerns with taking that approach for expediency?