If the network process is disabled (e.g. by selecting the shared-secondary-process process model) then the web process will be used to load files from disk when the user accesses a file:// URI (either manually or through a browser's file chooser). But with seccomp filters enabled, the web process has no permission to open the file. We have a few different options: * Disable the sandbox when the network process is disabled. * Make the network process mandatory. (This is what Apple wants to do, anyway.) * Implement runtime sandbox extensions, so the UI process can tell the seccomp broker to allow a trapped process access to additional files. Apple has sandbox extensions already working in the cross-platform code, but it would require significant modifications to the seccomp filters backend (see also bug #140062) so this may not be a short-term project. Long-term, there is value in implementing sandbox extensions even if the network process is mandatory -- not for the web process, but for the network process, so that we can sandbox the network process as well.