diff --git a/SECURITY_AUDIT.md b/SECURITY_AUDIT.md
index 2cda8bd..2fc4a61 100644
--- a/SECURITY_AUDIT.md
+++ b/SECURITY_AUDIT.md
@@ -291,7 +291,7 @@ bats tests/security.bats # Run specific suite
 | Standard | Implementation |
 |----------|----------------|
 | OWASP Secure Coding | Input validation, least privilege, defense-in-depth |
-| CWE-22 (Path Traversal) | Absolute path enforcement, `../` rejection |
+| CWE-22 (Path Traversal) | Enhanced detection: rejects `/../` components while allowing `..` in directory names (Firefox compatibility) |
 | CWE-78 (Command Injection) | Control character filtering |
 | CWE-59 (Link Following) | Symlink detection before privileged operations |
 | Apple File System Guidelines | Respects SIP, Read-Only Volumes, TCC |
diff --git a/lib/core/file_ops.sh b/lib/core/file_ops.sh
index 7dbaa7b..4fb03a7 100644
--- a/lib/core/file_ops.sh
+++ b/lib/core/file_ops.sh
@@ -46,7 +46,9 @@ validate_path_for_deletion() {
     fi
 
     # Check for path traversal attempts
-    if [[ "$path" =~ \.\. ]]; then
+    # Only reject .. when it appears as a complete path component (/../ or /.. or ../)
+    # This allows legitimate directory names containing .. (e.g., Firefox's "name..files")
+    if [[ "$path" =~ (^|/)\.\.(\/|$) ]]; then
         log_error "Path validation failed: path traversal not allowed: $path"
         return 1
     fi
diff --git a/tests/core_safe_functions.bats b/tests/core_safe_functions.bats
index c6bcba6..a720787 100644
--- a/tests/core_safe_functions.bats
+++ b/tests/core_safe_functions.bats
@@ -43,6 +43,26 @@ teardown() {
 @test "validate_path_for_deletion rejects path traversal" {
     run bash -c "source '$PROJECT_ROOT/lib/core/common.sh'; validate_path_for_deletion '/tmp/../etc'"
     [ "$status" -eq 1 ]
+
+    # Test other path traversal patterns
+    run bash -c "source '$PROJECT_ROOT/lib/core/common.sh'; validate_path_for_deletion '/var/log/../../etc'"
+    [ "$status" -eq 1 ]
+
+    run bash -c "source '$PROJECT_ROOT/lib/core/common.sh'; validate_path_for_deletion '$TEST_DIR/..'"
+    [ "$status" -eq 1 ]
+}
+
+@test "validate_path_for_deletion accepts Firefox-style ..files directories" {
+    # Firefox uses ..files suffix in IndexedDB directory names
+    run bash -c "source '$PROJECT_ROOT/lib/core/common.sh'; validate_path_for_deletion '$TEST_DIR/2753419432nreetyfallipx..files'"
+    [ "$status" -eq 0 ]
+
+    run bash -c "source '$PROJECT_ROOT/lib/core/common.sh'; validate_path_for_deletion '$TEST_DIR/storage/default/https+++www.netflix.com/idb/name..files/data'"
+    [ "$status" -eq 0 ]
+
+    # Directories with .. in the middle of names should be allowed
+    run bash -c "source '$PROJECT_ROOT/lib/core/common.sh'; validate_path_for_deletion '$TEST_DIR/test..backup/file.txt'"
+    [ "$status" -eq 0 ]
 }
 
 @test "validate_path_for_deletion rejects system directories" {