Microsoft research has published an excellent paper describing many browser flaws. The use case primary involves an attacker hijacking the explicitly configured proxy used by the user and via HTTP code trickery
they can access the content on an HTTPS established connection. It also outlines browser flaws involving caching of SSL certs ion combination with some of the previous trickery. Probably one of the better papers I've read in years.
If proxies are your thing (who's aren't they!) I published a paper a couple of months ago on an architectural flaw involving transparent/intercepting proxies at http://www.thesecuritypractice.com/the_security_practice/2009/03/socket-capable-browser-plugins-result-in-transparent-proxy-abuse.html .