Basic web browser sandboxing and access to filesystem

Hi,

I was trying NixOS as a Desktop and installed Chromium, Brave and Firefox through home-manager.
I did a few checks and first found out the browsers can access by default all the files the users has access to (like file:///etc/) what I believe is not the case in many other distros (even without sandboxing systems such as Flatpak).

I searched the NixOS options, discourse and users configurations to see how people are usually configuring their browser but couldn’t find how to restrict filesystem access outside of using firejail.

I am not a security expert but always remember this view on firejail Linux | Madaidan's Insecurities

Firejail is another common sandboxing technology; however, it is also insufficient. Firejail worsens security by acting as a privilege escalation hole — Firejail requires being setuid, meaning that it executes with the privileges of the executable’s owner, which in this case, is the root user. This means that a vulnerability in Firejail can allow escalating to root privileges.

Which kind of make sense AFAIK.

So my question is:
What are you recommending today for basic browser hardening/sanboxing and limiting filesystem access (without going as far as firejail with all its tradeoffs).

Thank you for your help !

Browsers implement their own sandboxing. A script from a https origin can’t arbitrarily fetch files from /etc, but the browser itself can obviously still access it. Most distros don’t implement any additional sandboxing on top of that. I made a little tool for sandboxing Nix packages: GitHub - nixpak/nixpak: Runtime sandboxing for Nix.

Thanks I am looking at nixpak, it’s great !

I know :joy:

Now funny fact I believe / vaguely remember very old Internet Explorer version (like maybe v4 or 5) had VB script and full file system access support. Seems crazy today :