Re: Enabling filesystem read-restrictions for content process sandbox

On 06-07-17 16:07, Alex Gaynor wrote: > Hi dev-platform, > > On behalf of the Runtime Content Isolation (aka sandboxing) team, I'm > delighted > to announce that starting later this week, our macOS and Windows nightly > builds > will prohibit read access to most of the filesystem in the content

Re: Enabling filesystem read-restrictions for content process sandbox

On Fri, Jul 21, 2017 at 7:48 AM, Andrea Marchesini wrote: > There are some APIs able to read files in the content process using > nsFileInputStream: FileReader is one of them. > The file is opened on the parent process (because of a FilePicker, or > Entries API), the

Re: Enabling filesystem read-restrictions for content process sandbox

There are some APIs able to read files in the content process using nsFileInputStream: FileReader is one of them. The file is opened on the parent process (because of a FilePicker, or Entries API), the file descriptor is sent to the content process where the reading happens. Is this supported yet?

Re: Enabling filesystem read-restrictions for content process sandbox

As a follow-up to this, tomorrow's (2017-07-22) Nightly will have this enabled for the Windows content process sandbox as well. On Windows this removes access that the User gains via their own SID. So generally things under their home directory (C:\Users\\). With exceptions for the Firefox

Re: Enabling filesystem read-restrictions for content process sandbox

Hooray, this is great news! On 06.07.2017 16:07, Alex Gaynor wrote: > Hi dev-platform, > > On behalf of the Runtime Content Isolation (aka sandboxing) team, I'm > delighted > to announce that starting later this week, our macOS and Windows nightly > builds > will prohibit read access to most of