We're trying to lock down our CEF Client from security vulnerabilities, and parts of this is proving difficult. In particular, since the user is allowed to browse freely to any URL (a requirement of our system), it is trivial to navigate to a page that contains a form which contains an input of type=file. From there, the user simply clicks the Choose File button, which will invoke the common file picker dialog from Windows. Even as a limited user, it is trivial to move/delete files or upload files to a remote server all from the file picker dialog.
Can you suggest any way to disable input type=file? I didn't see any way to do this from my browsing of the 3.2526.1368.gd94bfc5 client code base. Any suggestions are appreciated.
Thanks!