Level 1: Low integrity restricts write access Level 2: Adds restrictions to read access

On OS X, the Firefox Profile directory is stored within ~/Library/Application Support/Firefox/Profiles/. ~/Library is read/write protected with a few exceptions for some specific subdirectories. Access to $HOME and other areas of the filesystem is not restricted. i.e., the content process can read and write to/from anywhere the OS permits: $HOME and temporary directories. The ~/Library read/write prevention could be bypassed because the rest of the $HOME is read/write accessible. For example, a compromised process could add malicious commands to ~/.login-type files to copy data from ~/Library when a user logs in.

Level 2: Read allowed. Write allowed in /dev/shm and /tmp (TMPDIR).

1. A compromised content process shouldn't be able to read arbitrary files, but when the user does File->Open or uses a file:/// URI, that must continue to work.

The sandbox on each platform will restricts read access to some areas.

• Windows: Level 2 access removes user's SID, removing access to various User resources (including the profile directory). System file access (Program Files, Windows system folder) still allowed for proper operation of binaries.
• OSX Filter rules restrict access to various areas of the system and $HOME
• Linux: File broker will manage read access to various areas of the system.

Sync file access from content:

• Parser, layout, XBL, Js access files using file:// need to be researched. Most should be associated with loading content. Some of this code may be leveraged by extensions. Most of these are sync in nature, and some leverage the nsIFile interface.

User content navigation:

• We plan to have a separate content process that will handle accessing local content. (bug 1147911)
• Question: If file:// access is remoted to the parent, could the contents of the URL bar be used to determine the allowable scope and accept/reject files as necessary? (Discussed previously by :billm, :bobowen.)

Extensions:

• Access to profile resources need to be restricted. This may break some extensions. We should file bugs on individual issues.

• More open file access security restrictions
• e10s-multi dependent

1. Extensions load scripts and resources from the profile directory using chrome://, resource://, moz-extension:// URI's.
2. Extensions call loadFromScript("chrome://foo/bar") from the Parent process results in Content trying to load that URL.
3. Content scripts running in the content process may use chrome:// URI's to load supporting code.
4. Web content can use chrome:// and resource:// URI's.
5. Firefox may use chrome://, resource://, moz-extension:// URI's internally from the content process.

Notes:

• resource: URLs
  • Aliased mappings to chrome uris
  • can be accessed via frame scripts
• moz-extension: URLs
  • new scheme related to webextensions
• For chrome://, resource://, and moz-extension:// URI's accessible files are defined by registrations performed in the parent process and can be filtered.
• Question: Can extensions be installed outside the profile 'extensions' directory?
• Question: Do these methods of access all rely on our file:/// URLs handling?

1. For print-to-file (e.g., PDF, postscript).
2. Printing to a printer seems to work with write access to $HOME disabled. Without using print_via_parent, using dtrace I saw plugin-container read from ~/.cups/client.conf and write to the content process temp dir ~/Library/Caches/TemporaryItems/Temp-{UUID}.

This can be address via moz-extension, resource, or chrome URLs.

• nsIStyleSheetService does not work with file:// URLs with read restricted sandbox, which is expected.
• Should we reject file urls here in the content process? What type of error response do we give as a result?

• Originally a dupe of bug 1187099
• Jed commented that this could be used to fix Blob URL issues in the content process.