This seems to be explained in better detail by https://bo0om.ru/chrome-and-safari-uxss. Working via Google Translate, the claim seems to be that using MHTML and XSLT allows you to bypass the sandboxing rules and inject JavaScript that bypasses the same-origin policy.
This is available before the security issue is expected to be made public in 14 weeks window & exactly why you need to keep whatever Chromium engine in your application up-to-date.
4 comments
[ 2.9 ms ] story [ 20.9 ms ] threadThe linked blog credits a Chromium patch that led to the discovery of this exploit: https://chromium-review.googlesource.com/c/chromium/src/+/65...