Once  https://crbug.com/845612  is finished, the network service will open files for upload via an IPC to the browser process by giving it a path and a process id the upload was requested by. If the request originated from the browser process, we let it access any file, and for renderers we check ChildProcessSecurityPolicy. Because of this, if the network service is compromised, it could pass 0 as the process id and get access to all files.

To get around this, we can either use CPSP to keep track of file permissions for the browser process as well, or never open files for the browser process in the NetworkServiceClient::OnFileUploadRequested method. Instead, we could take already open files or pipes, which would be provided to the network service by the browser process itself when making the initial upload request. One potential issue with the latter approach is that if SimpleURLLoader wants to retry the request for some reason, it won't be able to because the open file and pipe can't be reset.

See the comments on  https://crbug.com/845612  for more context.