It is common that users open HTML page from a downloaded zip file or just an attachment on email.
This page shows how in such case a malicious programmer can access user passwords.
Click Show data to see the collected info.
So Firefox should
restrict access for Javascript on page with "file:" protocol to its directory and sub dir
dir access should NOT be given for page in
root drive
windows folders and sub folders
My Documents, My Pictures, My ***
Desktop (it is ok to access if it is in sub folder of Desktop, My Documents, My Pictures, etc.)
User Profile folders
on Linux the root folder, home folder, under any .folder