Skip to content

Files → Open With → Browser → Upload

Validate that a file opened via Files tab association into a hidden browser still enforces web upload controls and proxy-only egress with no bypass via env/proxy flags.

Objectives

  • Ensure association routing to a hidden app honors allow/visibility policy.
  • Enforce web upload boundary and deny exfiltration by default.
  • Prevent proxy bypass via env vars or flags.

Preconditions

  • Files tab association configured with open action targeting the browser (browser app visibility: "hidden").
  • Proxy-only routing enforced; bypass flags/vars not permitted.

Suite

IDCanonical IDsFlowProcedureExpected Outcome
INTEG-FILE-ASSOC-01HARD-FILES-ASSOC-02, DM-WEB-02, NET-EGRESS-05, NET-EGRESS-06Files → Open With → Browser → Upload1) From Files tab, choose Open With → Browser on a test document. 2) Attempt upload to test server. 3) Repeat with HTTPS_PROXY set and NO_PROXY=*.Routing to hidden browser is authorized; upload attempt is denied; proxy bypass attempts fail; audit shows action: "deny", proxyEnforced: true, and relevant rule.id.

Evidence Requirements

  • fileOp events for association routing (rule.id).
  • dataMotion/web upload events: action, outcome, rule.id, integrity.hash.
  • network events for proxy enforcement and bypass attempts.