On OS X, the Firefox Profile directory is stored within ~/Library/Application Support/Firefox/Profiles/. ~/Library is read/write protected with a few exceptions for some specific subdirectories. Access to $HOME and other areas of the filesystem is not restricted. i.e., the content process can read and write to/from anywhere the OS permits: $HOME and temporary directories. The ~/Library read/write prevention could be bypassed because the rest of the $HOME is read/write accessible. For example, a compromised process could add malicious commands to ~/.login-type files to copy data from ~/Library when a user logs in.

1. A compromised content process shouldn't be able to read arbitrary files, but when the user does File->Open or uses a file:/// URI, that must continue to work.

The sandbox on each platform will restricts read access to some areas.

• Windows: Level 2 access removes user's SID, removing access to various User resources (including the profile directory). System file access (Program Files, Windows system folder) still allowed for proper operation of binaries.
• OSX Filter rules restrict access to various areas of the system and $HOME
• Linux: File broker will manage read access to various areas of the system.

User content navigation:

• We plan to have a separate content process that will handle accessing local content. (bug 1147911)
• Question: If file:// access is remoted to the parent, could the contents of the URL bar be used to determine the allowable scope and accept/reject files as necessary? (Discussed previously by :billm, :bobowen.)

Internal uses:

• Parser, layout, XBL, Js access files using file:// need to be looked over. Most should be associated with loading content. Some may be leveraged by extensions.

Extensions:

• Access to profile resources need to be restricted. This may break some extensions.

1. Extensions load scripts and resources from the profile directory using chrome://, resource://, moz-extension:// URI's.
2. Extensions call loadFromScript("chrome://foo/bar") from the Parent process results in Content trying to load that URL.
3. Content scripts running in the content process may use chrome:// URI's to load supporting code.
4. Web content can use chrome:// and resource:// URI's.
5. Firefox may use chrome://, resource://, moz-extension:// URI's internally from the content process.

Notes:

• For chrome://, resource://, and moz-extension:// URI's accessible files are defined by registrations performed in the parent process and can be filtered.
• Question: Can extensions be installed outside the profile 'extensions' directory?
• Question: Do these methods of access all rely on our file:/// URLs handling?

1. For print-to-file (e.g., PDF, postscript).
2. Printing to a printer seems to work with write access to $HOME disabled. Without using print_via_parent, using dtrace I saw plugin-container read from ~/.cups/client.conf and write to the content process temp dir ~/Library/Caches/TemporaryItems/Temp-{UUID}.