Remote web pages are not supposed to be able to detect what files a user has on their local machine. Certain types of HTML elements may behave differently when they attempt to reference local files that exist. The attempt to load the local file will be blocked, but different JavaScript events may fire, allowing the presence of the local file to be detected. The contents of the local file will not be exposed, and the attacker will need to be able to guess the path to the local file in order to check for its existence.