If you run one of those demos on Microsoft Windows, you’ll see pretty things happening, like calc.exe being launched behind your back.
Both Petko and I said this vulnerability is theoretically cross-platform, but as many reported it couldn’t actually be reproduced on Mac OS X.
It doesn’t come as a real surprise, though, since this is just another cross-application URI dispatching bug, and the Apple OS has already shown to manage this issue in a much saner way than its counterpart from Redmond.
At any rate, on Windows at least, this can be exploited to do anything the currently logged user can.
Even if gnucitizen.org is in your whitelist, nothing bad will happen thanks to the specific top-level chrome protection implemented almost 3 months ago.