Mobile Firefox local file access

[MasterInQuestion]

    See also:
    https://github.com/mozilla-mobile/fenix/issues/7546

[[
[ David A. Madore @ CE 2023-06-15 10:46:58 UTC:
https://bugzilla.mozilla.org/show_bug.cgi?id=1806171#c4
    How does Chrome / Chromium / the Android native browser (whatever it should be called) handle this issue?
    Do they also disallow "file://" URLs?

    This whole situation is incredibly silly.

    If I understand correctly:
    Android's security model is so complex, so badly designed or so broken that somehow "opening a local file" has become a security issue. (which it emphatically is not on a PC, so the non-Android Firefox can open "file://" URLs fine)
    Apparently there isn't even an easy fix of allowing opening files in "/sdcard" or so, and because of this Firefox must prevent users from even opening the files which they themselves downloaded a minute ago.
    So Firefox can't function as an image viewer or as a PDF viewer (bug #1815739), for which it would otherwise be great, because... opening local files is dangerous?!

    This is beyond absurd, especially as PDF viewers for Android are ripe with security issues and using Firefox's pdfjs would probably be a great improvement for everyone.
    And as the issue is very complex, this bug will never be fixed.
    But in the mean time, Chrome works fine, and nobody knows why.

    Am I correctly summarizing the situation, or is there something I missed? ]

----

[ Master ? @ CE 2023-11-18 22:18:53 UTC:
https://bugzilla.mozilla.org/show_bug.cgi?id=1806171#c7
    The CVE itself looks much non-sense:
    Malicious app on system may steal certain files from Firefox.

    Actually such app would potentially steal arbitrary files without even involving Firefox... Same for all practical systems.

    Thoughtless operation is incurable security-wise. ]
]]
    @Gro-Tsen, somewhat reformatted your text for better readability.
    Reposted there mostly for the potential "off-topic".

[MasterInQuestion]

    [ Quote Kevin Brosnan @ CE 2022-12-20 17:24:45 UTC:
https://bugzilla.mozilla.org/show_bug.cgi?id=1806171#c2
    "about:config" is a poor fit for controlling features on Fenix because of the hard separation.
    Making it optional is risky it becomes a one click button to allow "Theft of arbitrary files from local system" which is a sec-high rated problem. ]

    “Internet is a scary place.
    Unapt users shouldn't be allowed to connect to which.”

    Also had a similar discussion some time ago:
    https://bugzilla.mozilla.org/show_bug.cgi?id=1754301#c13

[MasterInQuestion]

    [ Quote David A. Madore @ CE 2023-06-15 10:46:58 UTC:
https://bugzilla.mozilla.org/show_bug.cgi?id=1806171#c4
    Android's security model is so complex, so badly designed or so broken that somehow "opening a local file" has become a security issue. (which it emphatically is not on a PC, so ...) ]
<^>    The very problem exists for all practical systems.
    But Android appears trying some vain attempt to address the unsolvable thereafter ended up something doesn't work at all...

    Google is shipping billions of broadband connected Unix machines: with hardly any of them administered by any competent sysadmin.

    If someone habitually posts whose sensitive data to social media...
    How to help?