From 0c68202fab672972f721300d8fd12a5a0a019f0a Mon Sep 17 00:00:00 2001
From: girst <girst@users.noreply.github.com>
Date: Thu, 26 Sep 2019 22:03:26 +0200
Subject: [PATCH] Document config file sandboxing issues and workarounds on
 Fx57+

Further discussion in bug #939.
---
 documentation/config-file.md | 36 +++++++++++++++++++++++++++++++++++-
 extension/lib/config.coffee  | 26 +++++++++++++++++++++++++-
 2 files changed, 60 insertions(+), 2 deletions(-)

diff --git a/documentation/config-file.md b/documentation/config-file.md
index dd24c1b..42a62f2 100644
--- a/documentation/config-file.md
+++ b/documentation/config-file.md
@@ -44,7 +44,13 @@ Follow these steps to get started:
    `/home/you/.config/vimfx` or `C:\Users\you\vimfx`, or start with a `~` (which
    is a shortcut to your home directory) such as `~/.config/vimfx` or `~\vimfx`.
 
-4. Run the `gC` command in VimFx. That needs to be done any time you change
+4. If you are running Firefox 57+, whitelist the `config_file_directory` by
+   setting `security.sandbox.content.read_path_whitelist` (Linux and Windows) or
+   `security.sandbox.content.mac.testing_read_path1` (OS X) to the absolute path
+   of the config directory (`~` not supported) ending on `/` (or `\`). You may
+   have to restart the browser after modifying these prefs.
+
+5. Run the `gC` command in VimFx. That needs to be done any time you change
    `config_file_directory`, or edit `config.js` or `frame.js`. This tells VimFx
    to reload the config file. If everything went well, a [notification] should
    appear (in the bottom-right corner of the window) telling you that the config
@@ -180,3 +186,31 @@ each open tab. `frame.js` also runs every time you open a new tab.
 (See also [the `shutdown` event].)
 
 [the `shutdown` event]: api.md#the-shutdown-event
+
+
+## On Process Sandboxing
+
+Electrolysis (e10s) introduced a process sandbox; a security feature limiting
+the impact of exploits in a content process. With the release of Firefox
+Quantum (57) the sandbox was tightened to disallow file system reads, which
+requires `frame.js` and other files accessed from a content process to be
+whitelisted. Mozilla provides a pref,
+`security.sandbox.content.read_path_whitelist`, that accepts a comma-separated
+list of paths. If a path ends with a path separator (i.e. `/` or `\`), the
+whole directory will become whitelisted. This pref is unavailable on OS X,
+where you instead get two [undocumented prefs],
+`security.sandbox.content.mac.testing_read_path1` and
+`security.sandbox.content.mac.testing_read_path2`, each accepting one directory
+path to whitelist.
+
+If you want to read other files from the file system from `frame.js`, place
+them inside the whitelisted directory or add their paths to the
+`read_path_whitelist`. Analogously, a `write_path_whitelist` exists on non-OSX
+systems; OS X users may be able to write to the `extensions` and `chrome`
+subdirectories inside the profile directory instead.
+
+Weakening the sandbox by setting `security.sandbox.content.level` to 2 is not
+recommended, as this will open up a [potentially devastating security hole].
+
+[undocumented prefs]: https://hg.mozilla.org/mozilla-central/file/c31591e0b66f277398bee74da03c49e8f8a0ede0/dom/ipc/ContentChild.cpp#l1701
+[potentially devesatating security hole]: https://bugzilla.mozilla.org/show_bug.cgi?id=1221148#c30
diff --git a/extension/lib/config.coffee b/extension/lib/config.coffee
index dc3f09f..ccfe9af 100644
--- a/extension/lib/config.coffee
+++ b/extension/lib/config.coffee
@@ -3,6 +3,7 @@
 createConfigAPI = require('./api')
 messageManager = require('./message-manager')
 utils = require('./utils')
+prefs = require('./prefs')
 
 {OS} = Components.utils.import('resource://gre/modules/osfile.jsm', {})
 
@@ -29,6 +30,20 @@ load = (vimfx, options = null, callback = ->) ->
 
   messageManager.send('loadConfig', null, callback)
 
+checkSandbox = (expandedDir) ->
+  prefix = 'security.sandbox.content'
+  if prefs.root.get("#{prefix}.level") > 2
+    return true
+
+  if Services.appinfo.OS == 'Darwin'
+    whitelisted = [
+      prefs.root.get("#{prefix}.mac.testing_read_path1"),
+      prefs.root.get("#{prefix}.mac.testing_read_path2")
+    ]
+  else
+    whitelisted = prefs.root.get("#{prefix}.read_path_whitelist").split(',')
+  return not whitelisted.some((e) -> e.startsWith(expandedDir))
+
 loadFile = (dir, file, scope) ->
   expandedDir = utils.expandPath(dir)
   uri = OS.Path.toFileURI(OS.Path.join(expandedDir, file))
@@ -42,7 +57,16 @@ loadFile = (dir, file, scope) ->
     })
     return null
   catch error
-    console.error("VimFx: Error loading #{file}", uri, error)
+    # in e10s Firefox / Firefox Quantum the content process sandbox might
+    # prevent us from accessing frame.js. The error message is incomprehensible
+    # without explanation.
+    if typeof error == 'string' and
+       error.startsWith('Error opening input stream (invalid filename?)') and
+       checkSandbox(expandedDir)
+      console.error("VimFx: Error loading #{file} likely due to e10s sandbox")
+      console.info("Please consult VimFx' documentation on config files.")
+    else
+      console.error("VimFx: Error loading #{file}", uri, error)
     return error
 
 module.exports = {
-- 
2.39.3