Setting an mhtml: prefix on the current URL via history.pushState and then opening a new window caused a null pointer dereference in KERNELBASE!StrCmpCW during urlmon’s redirect security check, crashing the browser.

history.pushState("","","mhtml:" + location.href); // This sets mhtml as our address.
window.open(1); // And this crashes the browser.

The crash occurred in urlmon!CINet::ProtocolAllowedForRedirect which called StrCmpCW with a null pointer as one of its arguments — the result of the malformed mhtml: base URL being passed through the redirect processing chain.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.