Open Bug 1932976 Opened 17 days ago Updated 17 days ago

Investigate using App Group Containers for profile data

Categories

(Core :: Widget: Cocoa, task)

task

Tracking

()

People

(Reporter: haik, Unassigned)

Details

Investigate use of App Group Containers to store Firefox profile data. This would improve the local security of Firefox profile data by requiring the user to approve any read or write of profile data by other applications.

See the macOS 15 release notes:
https://developer.apple.com/documentation/macos-release-notes/macos-15-release-notes#System-Integrity-Protection

WWDC 24 description:
https://developer.apple.com/videos/play/wwdc2024/10123/?time=743

containerURLForSecurityApplicationGroupIdentifier API:
https://developer.apple.com/documentation/foundation/nsfilemanager/1412643-containerurlforsecurityapplicati?language=objc

This needs some more investigation, but since the location of profiles.ini would not have to change and we already support profiles at arbitrary locations in the filesystem, it could be that tools or other applications that read the profiles would not need to be updated for the new location.

The change could be done in multiple phases. At first, only new profiles are placed in the new location. Migrating existing profiles would be an optional second step.

There would be some risk to using the literal container path in profiles.ini if the path returned from containerURLForSecurityApplicationGroupIdentifier ever were to change. In that case, an OS upgrade would likely end up moving the data resulting in the path in profiles.ini no longer referring to the profile. That could be accounted for in code.

Per the docs,

Note
Always use the URL returned by this method to locate the group
directory rather than manually constructing a URL with an explicit path.
The exact location of the directory in the file system might change in
future releases of macOS, but this method will always return the correct URL.
You need to log in before you can comment on or make changes to this bug.