If you don't use WebKit to build a browser on Linux, you can ignore this message. By default, WebKit allows local HTML files to inject script into any web page. That means that if you open a local HTML file on your machine, it can effective XSS every web site, including the user's bank or webmail provider. To protect against this threat, we have the following setting Settings::setAllowUniversalAccessFromFileURLs which disables this behavior. For legacy reasons, we default this setting to "true," but I'd like to encourage to use the "false" setting by default in your browser, especially if your browser runs on Linux. This issue is particularly important on Linux because many Linux users use a network file system, such as AFS or NFS, which maps the entire world into the local file system. For example, if I made my home directly world-readable, it's quite likely that I would be able to control this URL on your user's machines: file:///afs/cs.stanford.edu/u/abarth If you don't override WebKit's default setting, I might be able to leverage this ability to read your user's email or transact on your user's bank accounts. Of course, even with the "false" setting, I might still be able to read the contents of your user's /etc/passwd file or other sensitive information in your user's file system. Over time, I hope we can further restrict the privileges granted to file URLs. However, removing universal access is a necessary first step. Please let me know if you have any questions. Adam