Filesystem access is allowed by firefox, filepicker and permission similar issues

[flpydsk]

Current Behavior

Firefox is not restricted from accessing the local FS outside of the config/downloads dir in both normal and kiosk mode.

• on any page CTRL+S opens the filepicker
• file:// method is allowed, allowing a user to view any local file. e.g. file:///etc/fstab
• its still possible to interact with the URL bar in kiosk mode

Expected Behavior

• all !/config dirs would be disallowed from FS access
• filepicker disabled (no need for it to even be accessible)
• file:// method is disallowed
• Kiosk mode wording to be changed to reflect it its functionally equivalent fo F11/fullscreen

Steps To Reproduce

File upload: Press Ctrl+S, notice access to filesystem, navigate to fileupload service e.g. privatebin.com and upload an arbitrary file from !~|!/config, downloading is rescricted obviously to dirs with write permissions File method: file:///etc/fstab Kiosk: while widnow resizing on first connect or switching from home page to new tab you have a small window where you can focus on the URL bar

Environment

• OS: Amazon linux
• Docker version: Docker version 24.0.5, build ced0996
• Browser/OS: Firefox

Container creation

Num=1; docker run -d --name=firefox$Num -p 127.0.0.1:580$Num:5800 jlesage/firefox

Num=1; docker run -d -e FF_KIOSK="1" --name=firefox$Num -p 127.0.0.1:580$Num:5800 -p 127.0.0.1:590$Num:5900 -v /firefox/1:/config:rw jlesage/firefox

Container log

Not needed for this issue.

Container inspect

No response

Anything else?

remove r,x,w from all non required dirs/files Disallow file:// method Disable filepicker

There really should be no need for filesystem access directly only indirectly for saving firefox config in some cases, maybe consider this as an option?

Reword kiosk mode to reflect its similarity to fullscreen mode and not 'restricted'

[jlesage]

file:// method is allowed, allowing a user to view any local file. e.g. file:///etc/fstab all !/config dirs would be disallowed from FS access

Could you elaborate more on why this is an issue ? To my knowledge, there no sensitive information that can be retrieved from the filesystem. The filesystem is minimal and contains only what is required to run Firefox. It is also mostly read-only for Firefox.

on any page CTRL+S opens the filepicker filepicker disabled (no need for it to even be accessible)

The file picker is needed to allow users to select where to save downloaded files.

its still possible to interact with the URL bar in kiosk mode Kiosk mode wording to be changed to reflect it its functionally equivalent fo F11/fullscreen

Kiosk mode is a feature of Firefox itself. It is not the same thing as viewing a page in fullscreen. User is limited in what it can do in this mode. Could you provide detailed steps you use to get access to the URL bar in this mode ?

[flpydsk]

As I see it FS access could be used for information gathering and profiling and with all the vulnerabilities in everything recently its an unnecessary privilege especially since this is running in a container so any insecurity in the container can affect the system as a whole, including other containers. primarily this is just an unnecessary permission that really has no upside.

Ill create a PR soon™ with an option to disable it if its acceptable to have it as an option in upstream. my use case is literally as an isolated and ephemeral browser

On Kiosk mode, searches placed from the homepage are not entered in to the homepage search box, instead your focus is switched to the url bar, meaning you can just enter and arbitrary url in kiosk mode. its required that no default url be specified in the container. though typing this out it sounds more Firefox issue, id still probably change the language.