try the following link in standard browser:
view-source:///etc/passwd
ok, shadow does not work 
Uhhm…
I’m not sure that it’s correct calling this a security problem - maybe even misleading.
passwd intentionally is a publicly readable unix file. See this short article about the purpose of passwd. Maybe someone who knows this stuff better (me I only can ‘guess educatedly’) can comment.
In any case: access to the local file system from Browser is a (necessary) feature, not a security issue (but this most probably is a no-brainer).
3 Likes
Exactly my thoughts.
And filing as a bug like here I do not get at all.
Just try this on a Jolla1 with 1.0.0.5.
Or on a current debian/ubuntu/… system.
Maybe related to the new firejail hardening? But then it might be more a feature request to hide /etc/password? I do not know if the browser or applications inside would need to read it.
1 Like