1.3.1 Ensure 'Allow read access via the File System API on these sites' is set to 'Disabled'


This policy setting allows organizations to list the URL patterns that specify which sites can ask users to grant them read access to files or directories in the host operating system's file system via the File System API.

Note: Leaving the policy unset means DefaultFileSystemReadGuardSetting (Control use of the File System API for reading) applies for all sites, if it's set. If not, users' personal settings apply.

Note #2: URL patterns can't conflict with FileSystemReadBlockedForUrls (Block read access via the File System API on these sites). Neither policy takes precedence if a URL matches with both.

The recommended state for this setting is: Disabled.


This API allows web apps to read or save changes directly to files and folders on user devices, beyond reading and writing files; the File System Access API provides the ability to open a directory and enumerate its contents. Allowing web apps the ability to enumerate the contents of a directory by reading or saving changes directly to files and folders opens the organization to malicious content to be saved directly onto user devices.


Users with creative roles that require read access to files and directories via the File System API may need additional permissions granted for said roles.


To establish the recommended configuration via GP, set the following UI path to Disabled:

Computer Configuration\Policies\Administrative Templates\Microsoft Edge\Content settings\Allow read access via the File System API on these sites

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSEdge.admx/adml that can be downloaded from: Download Microsoft Edge for Business - Microsoft.

Default Value:

Not configured.

See Also


Item Details


References: 800-53|CM-10, 800-53|CM-11, 800-53|SC-18, CSCv7|7.2

Plugin: Windows

Control ID: c47fee8dcc259b9308f93eb4c7ae2a5e88ec0ba867e009cba11bfb341f4955d2