[RubyPinch]

shouldn't that protection already exist just in the file permissions of the cookie storage?

this doesn't really protect much from other users since other users don't have access to the file in the first place, and doesn't protect from the user that owns the browser process.

which is probably why the bug still exists, adding a randomly generated key only adds another easily passable obstacle

[vbezhenar]

I have user vbezhenar. I run browser under that user. I have system storage for sensitive data. Its data available only via API which checks permissions. E.g. only Chrome can access its data.

Chrome must be able to read its cookies, so cookies file must be readable/writeable for user vbezhenar. And there are high chances that I'll run malware program under this user vbezhenar too, so it can read cookies file, but it won't be able to access encryption password.

[nly]

File permissions can be bypassed by anyone who gets physical access once, encryption can't.