=== Content Levels ===
{| class="wikitable"|-! Level !! What's Blocked by Mac content processes use sandbox level 3. File content processes (for file:/// origins) also use level 3 with additional rules to allow read access to the Sandbox?|-| Level filesystem. Levels 1 [1] ||* write and 2 can still be enabled in about:config, but they are not supported and using them is not recommended. Different sandbox levels were used for testing and debugging during rollout of Mac sandboxing features, but they now are planned to be removed. Mac sandboxing uses a white list policy for all process types. Each policy begins with a statement to deny all access to most of system resources and then specifies the filesystem* inbound/outbound network I/O* execallowed resources. The level 3 sandbox allows file system read metadata access with full read access for specific system directories and some user directories, fork* printing|-| Level 2 ||* write access to most of the filesystem* inbound/outbound network I/O* execmicrophone, fork* printing* read access to the profile directory (apart from the chrome various system services, windowserver, named sysctls and iokit properties, and extensions subdirectories)* read other miscellaneous items. Work is ongoing to remove access to ~/Library|-| Level 3 || * the microphone, windowserver, and other system services where possible. The sandbox blocks write access to all of the filesystem* read access to most of the filesystem** file system, read access to the profile directory (apart from the chrome and extensions subdirectories)** , read access to the home directory* , inbound/outbound network I/O* , exec, fork* , printing* , video input devices such as cameras. Older sandbox levels 1 and 2 are less restrictive. Mainly, level 2 allows file-read access to most system services|} Note that all of the macOS sandbox is whitelist based, not blacklist, so this section is effectively filesystem except the inverse of what we allow~/Library directory. [Level 1] allows all file-read access. Level 1 restrictions are a subset of level 2. Level 2 restrictions are a subset of level 3.
=== Gecko Media Plugins ===
