Allow two Firefox profile files to be saved outside of the sandbox:
cert8.db (Client Certificate database)
blocklist.xml (Mozilla generated list of blocked add-ons)
----
A recently disclosed break-in at DigiNotar (a certificate issuer) has browser developers scrambling to block hundreds of false SSL certificates that have been created in the past 6 weeks.
So far, it appears that users in Iran have been most at risk, although a false certificate for the Mozilla Add-Ons site was created.
http://www.theregister.co.uk/2011/09/02/google_chrome_diginotar/

Chrome will issue a new program version in order to block these certificates.
Microsoft's fix will reportedly be applied automatically for users of Vista and later, but XP users will have to apply a software update.
http://www.theregister.co.uk/2011/08/30/fraudulent_google_cert_update/

I don't know if Mozilla will issue new versions of Firefox and Thunderbird, but it seems likely that they will update the "cert8.db" (Client Certificate database) file that's stored in the profile folder for all versions of those programs.

Firefox will normally update this certificates database file while it is connected to the Internet.
But when it's running sandboxed, any updates to the "cert8.db" file will be saved in the sandbox if direct access to that file is not provided, and the updated certificates file will then be deleted when the sandbox contents are deleted.
People who seldom run Firefox unsandboxed may not get the updates to this file right away.
I've been allowing the "cert8.db" to be saved outside of the sandbox for some time now, and I think it should be allowed out by default for all Firefox users.

This same file is used by Thunderbird, but if the "Thunderbird" template is used, the "cert8.db" file is allowed direct access by the template.
So no further action would be needed there.
SeaMonkey users should also be covered by their template.

There is another file that is automatically updated by Firefox and Thunderbird, once each day, whenever they are connected to the Internet: "blocklist.xml"
This file contains a list of extensions that Mozilla has found to be harmful to users.
Extensions listed in the file are either disabled or prevented from being installed.
I also allow this file to be stored outside of the sandbox for Firefox, and the Thunderbird template allows it out too.

We already have an anti-phishing template for Firefox, that is applied to all new sandboxes as they are created, due to its large file size.
But in my view, Sandboxie users of Firefox should also allow these two profile files to be saved out of the sandbox.

How best to accomplish that for other people, I can't say.
They could be added to the Firefox anti-phishing template, although they aren't exactly involved with phishing.
----
I have one sandbox that I occasionally use with a different Firefox profile, but where Firefox is more limited as to what files are allowed out of the sandbox.
I have now added direct access for these two Firefox profile files in that sandbox.

I could have added the files through Sandbox Settings > Resource Access > File Access > Direct Access, or used Edit Configuration to add two lines to the settings for the sandbox:
OpenFilePath=firefox.exe,*\cert8.db
OpenFilePath=firefox.exe,*\blocklist.xml

Intead I created a local template that I can then apply to that sandbox and any new ones that I might create for Firefox, where I don't want to allow very many profile files out of the sandbox.
I list it here in case anyone wants to paste the code into:
Sandbox Settings > Applications > Local > click the "Create New" button
and, after entering it, "Apply" it to the sandbox(es) of choice.

Sounds good, I can add such a setting.

Another excellent suggestion...many thanks!

I agree, perhaps I should add those two files to that default phishing template rather than create a new template? One might argue that these files are conceptually related to anti-phishing, or more broadly, anti-hacking measures.

Does anyone see a downside to having a sandboxed Firefox browser freely update these files outside the sandbox?

Added for discussion:
Obviously, the template name cannot be changed at this point, without causing problems or additional work.
The Tmpl.Title would only need to be extended, in my view.

Mozilla refers to the 'cert8.db' Client Certificates as "Security certificates".

Mozilla also refers to the 'blocklist.xml' file in this way:
"blocklist.xml contains a list of add-ons that Mozilla considers to be harmful to the user (contains security vulnerabilities, adversely affects browsing experience, etc.)"

If these files are added to the current template, as I think would be best, then I would suggest that the template title be changed to something simple, like:
Allow direct access to Firefox phishing database and security files

The proposed change would automatically take effect for any sandbox that currently uses the anti-phishing template.

I think a name title referring to Firefox "blacklist files" might be a better fit, but I'm not sure that I'll actually change the name of the template, because some translations are being less actively maintained than others, and I don't want to lose existing translations for such a minor point.

My question was more concerned with getting the files themselves into that template, which is already added by default to all sandboxes, so I'm glad to see you think it's a good idea.

I agree that the template name should not be touched.
That would cause too many problems.

As far as using the term "blacklist" in the title, I'm under the impression that the Client Certificates database file (cert8.db) is more of a white list.

The blocklist.xml file is a black list of add-ons:
https://addons.mozilla.org/en-US/firefox/blocked/

I guess the cert8.db database probably contains revocation certificates as well, so it would have a black list component.
----
Microsoft has now issued the update to their Revocation Certificates for XP users (through Windows Update), and Chrome and Firefox have both released their new program versions.

At least one certificate issuer has suspended certifying new SSL certificates, following claims from a hacker that he still has credentials that he can use to create new ones.
http://www.theregister.co.uk/2011/09/07/globalsign_suspends_ssl_cert_biz/

I updated the phishing template to include these two files in version 3.59.02.

Thanks for the quick update, Tzuk.

I'm guessing that after this update we should remove the entries to resource access made via the GUI by following Guest10's earlier suggestions?

Yes.
Those settings are now duplicated by the template in templates.ini

Duplicate entries do not cause a problem by themselves, as long as the template is also used.
But if the template was no longer used by a sandbox, and those individual settings are not removed, then they would still be in use in that sandbox if Firefox uses it again.
----
This is the type of situation where I like to use a Local Template.
The Local Template is created in the configuration file, and contains all of the settings in one place.
The template is then applied to individual sandboxes, where you want these Firefox exclusions to be used.
Only one line is then added to the settings for each sandbox where it is applied, no matter how many exclusions are contained within the template.

Once you "Remove" the template from all of the sandboxes where it is applied (using the GUI), Sandboxie Control will tell you that the local template is no longer being used by any sandbox.
It will then give you a choice of deleting it from the configuration file, at which point you would answer "Yes", to delete the local template and all of its settings from your configuration file.

Thanks, as always.