ttalvitie
commented
2 years ago First, a couple of notes:
- This is not a breach of the Browservice security model: typical browsers can similarly access local files with the privileges of the current user through
file:, and the warnings in the documentation indicate that Browservice has similar permissions on the proxy machine as any normal local browser. /etc/passwdis not particularly secret: it is typically readable by all users and in all systems modern enough to run Browservice, it does not contain any actual passwords. A bigger practical risk is the access to passphraseless SSH private key files of the current user.
So far, I have decided not to block the file: protocol in order to not give users a false sense of security; there are probably ways around the block (as the embedded Chromium browser has not been designed to completely isolate the interactive user from the privileges of the user running the process). However, I do recognize that there might be practical value in having the file: blocked anyway to at least slow down some interactive attacks. Thus I plan to do the following:
- Block the loading of
file:URLs by default; add a command line switch to re-enable it as some users might already be relying on local file access. - If a user tries to open a blocked
file:URL, show a clearly worded error message that explains that the block is only snake oil and there might be ways around it (to avoid giving the user a false sense of security).
Can you disable accessing local files via file:// method? I know you gave a warning about this. Maybe you want to completely disable this feature.
You don't want this though..