1.3.1 Ensure 'Allow read access via the File System API on these sites' is set to 'Disabled'

Information

This policy setting allows organizations to list the URL patterns that specify which sites can ask users to grant them read access to files or directories in the host operating system's file system via the File System API.

Note: Leaving the policy unset means DefaultFileSystemReadGuardSetting (Control use of the File System API for reading) applies for all sites, if it's set. If not, users' personal settings apply.

Note #2: URL patterns can't conflict with FileSystemReadBlockedForUrls (Block read access via the File System API on these sites). Neither policy takes precedence if a URL matches with both.

The recommended state for this setting is: Disabled.

Rationale:

This API allows web apps to read or save changes directly to files and folders on user devices, beyond reading and writing files; the File System Access API provides the ability to open a directory and enumerate its contents. Allowing web apps the ability to enumerate the contents of a directory by reading or saving changes directly to files and folders opens the organization to malicious content to be saved directly onto user devices.

Impact:

Users with creative roles that require read access to files and directories via the File System API may need additional permissions granted for said roles.

Solution

To establish the recommended configuration via GP, set the following UI path to Disabled:

Computer Configuration\Policies\Administrative Templates\Microsoft Edge\Content settings\Allow read access via the File System API on these sites

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSEdge.admx/adml that can be downloaded from: Download Microsoft Edge for Business - Microsoft.

Default Value:

Not configured.

See Also

https://workbench.cisecurity.org/benchmarks/11865

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-10, 800-53|CM-11, 800-53|SC-18, CSCv7|7.2

Plugin: Windows

Control ID: c674a5ffc28650504f7ed07404a5ebd92d6d2fa28c48743bdd6655db1b7a88af