Firefox 68 has tightened the same-origin policy to prevent locally-saved malicious HTML content from accessing other files in the same directory. This could be an issue if you’re testing your site on your own machine directly through the
file:// URL, and having a script in a separate file or embedding an
<iframe>, for example.
While a simple, self-contained HTML file may still work, it’s highly recommended to set up a local server if you want to test a site with assets. There are easy-to-use tools like MAMP or XAMPP, and macOS also comes with the Apache server.
Update: This change is affecting various other things as well, including web fonts, workers and XSLT. Bug 1566172 has a list of those cases.