Investigate using App Group Containers for profile data
Categories
(Core :: Widget: Cocoa, task)
Tracking
()
People
(Reporter: haik, Unassigned)
Details
Investigate use of App Group Containers to store Firefox profile data. This would improve the local security of Firefox profile data by requiring the user to approve any read or write of profile data by other applications.
See the macOS 15 release notes:
https://developer.apple.com/documentation/macos-release-notes/macos-15-release-notes#System-Integrity-Protection
WWDC 24 description:
https://developer.apple.com/videos/play/wwdc2024/10123/?time=743
containerURLForSecurityApplicationGroupIdentifier API:
https://developer.apple.com/documentation/foundation/nsfilemanager/1412643-containerurlforsecurityapplicati?language=objc
Reporter | ||
Comment 1•17 days ago
|
||
This needs some more investigation, but since the location of profiles.ini would not have to change and we already support profiles at arbitrary locations in the filesystem, it could be that tools or other applications that read the profiles would not need to be updated for the new location.
The change could be done in multiple phases. At first, only new profiles are placed in the new location. Migrating existing profiles would be an optional second step.
There would be some risk to using the literal container path in profiles.ini if the path returned from containerURLForSecurityApplicationGroupIdentifier
ever were to change. In that case, an OS upgrade would likely end up moving the data resulting in the path in profiles.ini no longer referring to the profile. That could be accounted for in code.
Per the docs,
Note
Always use the URL returned by this method to locate the group
directory rather than manually constructing a URL with an explicit path.
The exact location of the directory in the file system might change in
future releases of macOS, but this method will always return the correct URL.
Description
•