Appearance
Files → Open With → Browser → Upload
Validate that a file opened via Files tab association into a hidden browser still enforces web upload controls and proxy-only egress with no bypass via env/proxy flags.
Objectives
- Ensure association routing to a hidden app honors allow/visibility policy.
- Enforce web upload boundary and deny exfiltration by default.
- Prevent proxy bypass via env vars or flags.
Preconditions
- Files tab association configured with
openaction targeting the browser (browser appvisibility: "hidden"). - Proxy-only routing enforced; bypass flags/vars not permitted.
Suite
| ID | Canonical IDs | Flow | Procedure | Expected Outcome |
|---|---|---|---|---|
| INTEG-FILE-ASSOC-01 | HARD-FILES-ASSOC-02, DM-WEB-02, NET-EGRESS-05, NET-EGRESS-06 | Files → Open With → Browser → Upload | 1) From Files tab, choose Open With → Browser on a test document. 2) Attempt upload to test server. 3) Repeat with HTTPS_PROXY set and NO_PROXY=*. | Routing to hidden browser is authorized; upload attempt is denied; proxy bypass attempts fail; audit shows action: "deny", proxyEnforced: true, and relevant rule.id. |
Evidence Requirements
fileOpevents for association routing (rule.id).dataMotion/web upload events:action,outcome,rule.id,integrity.hash.networkevents for proxy enforcement and bypass attempts.
