Rules with $url.scheme=='chrome' are not taken into account. As a consequence the security feature of blocking chrome access to web pages does not work at all.
The reason is a bug in the source code of kabl-policy.js, namely a reference to a non-existing object 'originLocation' is being used instead of 'requestOrigin'. Diff follows:
--- kabl-policy.js_orig 2007-06-28 10:58:20.000000000 +0200
+++ kabl-policy.js 2007-11-10 01:51:42.229006400 +0100
@@ -204,7 +204,7 @@
// if it is chrome, and so is the origin, let it through
if (contentLocation.schemeIs('chrome') &&
- originLocation.schemeIs('chrome')
+ requestOrigin.schemeIs('chrome')
) {
return this.ACCEPT;
}