2.2.5 (L2) Ensure 'Control use of the File System API for reading' is set to 'Enabled: Do not allow any site to request read access to files and directories via the File System API'

Information

This policy setting determines whether websites can ask for read access to the host operating system's file system using the File System API.

Policy options mapping:

BlockFileSystemRead (2) = Do not allow any site to request read access to files and directories via the File System API

AskFileSystemRead (3) = Allow sites to ask the user to grant read access to files and directories via the File System API

The recommended state for this setting is: Enabled: Don't allow any site to request read access to files and directories

There is a large category of attack vectors that are opened up by allowing web applications access to files. By setting this policy to Enabled: Do not allow any site to request read access to files and directories via the File System API implements additional protections to safeguard against accidental sharing of sensitive information contained in locals files.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: Do not allow any site to request read access to files and directories via the File System API :

Computer Configuration\Policies\Administrative Templates\Google\Google Chrome\Content settings\Control use of the File System API for reading

Impact:

Users with creative roles that require the File System API access permission to read files for photo, video, and text editors or for creating integrated development environments will need additional permissions granted based on their role.

See Also

https://workbench.cisecurity.org/benchmarks/16430

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-10, 800-53|CM-11, 800-53|SC-18, CSCv7|7.2

Plugin: Windows

Control ID: 7b145b40b903f2e9fc404287894f5176cb8fb71576d6c7c1bd6f4dcd84d11ce1