Chrome Throws Flash Into the Sandbox

wiredmikey writes "Google announced today that it will be extending Chrome's sandboxing technology to include the Flash Player plug-in. 'Sandboxing' technology is a method of isolating an application from the rest of the operating system and tightly controlling its resources. According to Google, the new sandboxing feature adds an additional layer of protection and will help protect users against malicious pages that attempt to hijack systems or steal information from the system."

But I thought

[Mesa+MIke]

that Chome was "as good as dead"?

Re:But I thought

[Geoffrey.landis]

that Flash was 'as good as dead"?

Re:But I thought

[krazytekn0]

I'm assuming they are talking about Chrome the browser not ChromeOS

Re:But I thought

that Chome was "as good as dead"?

That was ChromeBSD.

Re:But I thought

[Crudely_Indecent]

Flash, ChromeOS, COBOL....

This is Slashdot - where unless it's tomorrow, it's yesterday.

Re:But I thought

[Tubal-Cain]

Probably both.

Re:But I thought

[tehcyder]

that Chome was "as good as dead"?

That was ChromeBSD.

Does Netcraft confirm this?

Re:But I thought

[DaVince21]

ChromeOS, not Chrome.

I'm afraid that Flash performance might get even worse if they do this, though. Flash performance is already bad.

Flex apps?

[KublaiKhan]

That'll be helpful if it supports Flex-framework apps (which it should, given that they run in the flash player).

I've been developing a flex app for the Blackberry Playbook that's coming out in February; the ability to port it to the chrome store without much extra work would be handy.

Re:Flex apps?

[Eponymous+Coward]

Maybe you can explain this to me: what's the Chrome store other than a bunch of bookmarks?

Re:Flex apps?

[KublaiKhan]

Some of the applications are glorified bookmarks; others--the 'plugins'--extend functionality of the browser itself.

For instance, there's a plugin that allows interface to the system's ping, ping6, traceroute, traceroute6, whois, and a couple of other net-centric functions. It includes some friendly interfacing, and it's smart enough to grab the current tab's URL as the target when invoked.

If the 'plugin' functionality could invoke a flash app, that would work well for more complex programs, and would be helpful for ChromeOS installations--corporate users could invoke custom corporate clients, for instance.

Re:Flex apps?

[DragonWriter]

Maybe you can explain this to me: what's the Chrome store other than a bunch of bookmarks?

Its a curated, annotated list of bookmarks (for installable hosted web apps) and download links (for packaged apps).

Plus, of course, it has functions associated with purchase for non-free apps, and some other features beyond just being a list.

Apple has the ultimate Flash sandbox

[wjousts]

You have to run it on a completely different machine. Can't get much more secure than that.

Re:Apple has the ultimate Flash sandbox

[zero.kalvin]

Or don't run it at all.

Re:Apple has the ultimate Flash sandbox

[MobileTatsu-NJG]

Apple has the ultimate Flash sandbox. You have to run it on a completely different machine.

Why?

Re:Apple has the ultimate Flash sandbox

[chispito]

Because he is comparing Chrome, a browser that runs on PCs, to IOS devices. I'm not sure why.

Re:Apple has the ultimate Flash sandbox

[ocdscouter]

Because odds are it'll get rated +5 Insightful?

Re:Apple has the ultimate Flash sandbox

[icebike]

Because he is comparing Chrome, a browser that runs on PCs, to IOS devices.

I'm not sure why.

No, he's comparing running Flash on any other platform vs not running flash at all on IOS.

But I suspect you knew that and were just trolling.

Re:Apple has the ultimate Flash sandbox

I honestly don't get it

Re:Apple has the ultimate Flash sandbox

It's so secure, I don't even own an Apple anymore.

Re:Apple has the ultimate Flash sandbox

[Neil+Boekend]

Well, the flashcookies and flash virusses are no problem if you can't run flash, so it's secure. About as secure as a box that's not connected to the internet is. But also as usefull.

Re:Apple has the ultimate Flash sandbox

[MobileTatsu-NJG]

That wasn't the confusing bit. It was the random reference iOS that threw me. He could have mentioned his Casio watch and it'd have been just as funny.

Re:Apple has the ultimate Flash sandbox

[Neil+Boekend]

That a casio watch can't run flash isn't a high profile problem. That iOS can't is.
If you are comparing the functionality of an iPad to a watch than that is funny in and of itself.

Re:Apple has the ultimate Flash sandbox

[MobileTatsu-NJG]

It's a sensationalized problem. Funny is trying to hypocritically justify it.

Re:Apple has the ultimate Flash sandbox

[Neil+Boekend]

Well they do have a point. My Linux and M$ systems have their highest processor load when running flash video and the shit pushed towards you (as in virusses and cookies) isn't funny anymore.
The problem is sensationalised. True. But for many people it seemed like a big deal, until Youtube fixed it. It may even be a good thing for HTML5 and Intel Atom systems.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Back in the day...

...we called this a "virtual machine".

Re:Back in the day...

[adisakp]

...we called this a "virtual machine".

You don't need a full VM though with a Modern OS. You can run a plug-in as a child process with almost no access privileges and then it has to request minimal (and hopefully secure) access API's from the host/parent process. This way the plug-in can't directly access file IO without going through an extra layer where it can be scrubbed and gated. Also, since it's running in a different process, it can not directly access any of the memory through pointers in the host/parent process.

Re:Back in the day...

[perrin]

Unfortunately, Linux in this respect is not a "Modern OS". The ability to sandbox user applications is extremely poorly developed. I have been looking at portable sandboxing lately, and it is a horrible nightmare. The Chrome developers created some fancy hacks for each OS, and they have pulled it off quite nicely, but they remain hacks, not elegant designs. The platform with the best current sandboxing API is, ironically, Windows Vista/7, with their configurable integrity levels. An API dubbed "Seatbelt" is being developed on MacOSX, but it is still in its barely-can-walk infancy, and the Chrome devs used undocumented parts of the API to make it all work. On LINUX there is a set of competing security modules for the kernel, with SELinux being the most used. Unfortunately, not only do some distros not use it, but a lot of users who have it disable it immediately (or set it to permissive mode, which from a sandboxing point of view is the same thing). And SELinux is a horrible beast to program for. It is insanely complex, and has non-existent documentation on how to use it to confine user programs.

What is needed is some generally agreed upon extension to POSIX on how to easily allow a user process to drop privileges it does not need. One experimental OS I looked at once (VSTa) had the ability for all users to create subgroups to their GID by adding more numbers. If your UID.GID was 500.500, you could create a new directory owned by 500.500.2, and allow the process owned by 500.500.2 only to access to this directory (some documentation on this is still up at http://www.vsta.org:8080/VSTa_2fDocumentation_2fCapabilities). I wish some similar, dead simple scheme could be created for Linux that ordinary users could understand themselves. Only a dedicated security elite could possibly wrap their heads around the SELinux rules -- everyone else just turn it off as soon as it gets in the way.

Re:Back in the day...

[theaceoffire]

I think Linux advancement in virtual machines has been advanced fairly recently.

The Android operating system is a linux based OS that runs java virtual machines, every application in a separate machine with their own database.

You have to manually allow interaction between programs... it is quite stable.

Re:Back in the day...

[jimicus]

The platform with the best current sandboxing API is, ironically, Windows Vista/7, with their configurable integrity levels.

They do say that necessity is the mother of invention.

Re:Back in the day...

[Enderandrew]

As opposed to the Unix world where a process can be associated with a user and a group and have fine-grained permissions based on the user and group, and then even more so with AppArmor, SE Linux, etc?

Re:Back in the day...

Are you sure that Chromium on Linux went with SELinux? It's been a while since I read anything but I thought its primary sandboxing means was via Google's extension to the Linux kernel, seccomp. How many distros do/don't include seccomp support?

...

Actually I take that back. I just found this page:
http://code.google.com/p/chromium/wiki/LinuxSandboxing

Seems Chromium uses either AppArmor or chroot on most distros (though the latter method doesn't provide full tab/plugin/extension isolation).

Re:Back in the day...

NT supports that and more. It's just that when you stray from the realm of filesystem and registry object ACLs, it becomes horribly nonintuitive, and things like process-based IPC security are up to the application to enforce (which, except for the 0.01% of programs such as Chrome, they never do enforce).

Though I vastly prefer the SELinux/AppArmor approach of using agglomerate text files for defining rules... but that might be because I'm a part-time programmer.

Re:Back in the day...

[drinkypoo]

What is needed is some simple tool for configuring an SElinux profile based on an application's behavior. A very complicated tool exists but that is not so helpful.

This might be very good, or very bad

[Stregano]

It would depend on how much in resources is allocated to sandboxing. If this is a static number, then what if the flash is simply a flash banner ad and has resources allocated to it. Now, if the allocation is fully dynamic, this could be very awesome. They would still run into an inevitable problem of not enough resources on the machine, but then again, that is hard to avoid. I truly hope Google is not going to statically allocate resources since that would be bad. I have seriously made a logo for a person in the past using flash. If the resources are static for allocation, then there is a very High chance Google will either allocate too much or too little to something.

Re:This might be very good, or very bad

I have seriously made a logo for a person in the past using flash.

I hope they paid you in sex, because no Slashdotter will take you seriously if you accepted mere money for committing such an atrocity.

Obvious financial motivations there...

Google earns money through advertising and wants to serve Flash banners (As doubleclick, which is already owned by Google, does). All new security holes in Flash cause more people to block or at least hate it. By sandboxing Flash in Chrome, Google both encourages people to use its browser and lowers the motivation to block all flash content. A great decision for Google and it happens to benefit the users, too.

(As a freelancer who prefers Chrome as his browser, works mostly in internet advertising and occasionally teaches courses in web development related subjects - including Flash - I'd like to hug the engineers that implement this.)

Re:Obvious financial motivations there...

(As a freelancer who... works mostly in internet advertising and occasionally teaches courses in web development related subjects - including Flash...)

As an Internet user, I'd like to egg your house.

Re:Obvious financial motivations there...

[gtomorrow]

I'll buy the eggs.

Re:Obvious financial motivations there...

[flimflammer]

Lets do this.

By announced "today", you mean December 1st?

[VGPowerlord]

In case you missed it, the Chromium Blog talked about this in their December 1st blog entry.

Re:By announced "today", you mean December 1st?

[uncanny]

Well duh, because it was just announced today that Chrome is going to die anyways!

Re:By announced "today", you mean December 1st?

[0x15e]

They it was suggested that Chrome OS is going to die, not Chrome the browser. Even then, it wasn't an announcement. It was a statement made by a former Google employee. Hardly anything official.

Not really important to me

[gman003]

After all, I already run Chrome itself in a sandbox. Firefox, too. Why?

Pretty much every exploit now begins by "the user visits a website". After that, pretty much any technology can be the hole it exploits - Java, Flash, PDF viewing, even JPEG rendering has been exploited. There's an abundance of targets. The modern browser is just too big a platform to secure completely. So, I don't trust any browser more modern than Lynx.

Re:Not really important to me

[carkb]

Even Lynx is too 'modern'. Check this exploit: http://www.vupen.com/english/advisories/2010/2042

Re:Not really important to me

[Eponymous+Coward]

pretty much any technology can be the hole it exploits

So, are you saying your sandbox code (which is probably not bug free) could be the source of some fruitful exploits?

Re:Not really important to me

[gman003]

Yes. It's had quite a few exploits found and fixed. There's definitely more to be found. I would not trust it to contain a known-malicious program. However, it's an effective barrier when combined with a decently-secure browser like Firefox or Chrome - not only does the "hacker" have to find an exploit in the browser, but in the sandbox as well, making it exponentially more difficult.

Re:Not really important to me

[NoSig]

not only does the "hacker" have to find an exploit in the browser, but in the sandbox as well, making it exponentially more difficult.

Huh, I'm pretty sure you don't know what exponential means, but you actually by mistake managed to use it in a way that makes a little sense, even if it takes a little creativity to see it. If the probability of being able to find a hole in a given layer is p, and there are n layers to get through (not just 2), and the probabilities are independent, the chance of finding a hole in all of them is p^n. Absurd assumptions, but it still amuses that someone used "exponentially" in a way that almost made sense in this sort of context - first time that I've ever seen that.

Re:Not really important to me

[Cryacin]

You don't get out much, do you?

Re:Not really important to me

Stack smashers and nop sleds still take place with text input. Anything taking external input is subject to exploit attempts. You think Lynx is safe because it's totally unusable today and archaic? Guess what? It uses several libraries to achieve its functionality, and each of those may have pending exploits in addition to any holes, off by one errors and other bugs within Lynx itself.

Re:Not really important to me

[NoSig]

Your comment's humor derives from thinking that knowledge = low status.

Re:Not really important to me

[Pollardito]

Even Lynx is too 'modern'. Check this exploit: http://www.vupen.com/english/advisories/2010/2042

This is exactly why I manually telnet to each website's port and issue GET requests directly

Re:Not really important to me

[gman003]

Actually, people misusing exponential is one of my pet peeves. And yes, that was pretty much exactly what I meant - if there's only one program to exploit, the difficulty is k, if there's two it becomes k^2, and so on.

Re:Not really important to me

[JSlope]

By the way, I already run flash only with Chrome, it has a build in flash player and so I don't have to install adobe flash to all the browsers. I browse with firefox and opera and when I need to see a page with flash (usually it's a video) I copy the url and run it in Chrome.

Re:Not really important to me

[ChunderDownunder]

dude! For online banking, use ssh.

Re:Not really important to me

[Cryacin]

Actually, I'm finding your hubris humorous.

Re:Not really important to me

[NoSig]

I'm sorry I said you probably didn't in that case.

Re:Not really important to me

[NoSig]

Here's some self-help. No need to thank me.

Re:Not really important to me

[gman003]

It's fine.

Re:Not really important to me

[Cryacin]

Thanks comic book guy! http://en.wikipedia.org/wiki/Comic_Book_Guy

Worscht... link... ever!!!

Re:Not really important to me

[NoSig]

lol

Re:Not really important to me

While GET is safe, reading response from terminal may be not. It can contain specially crafted control sequences e.g. exploiting vte or xterm vulnerabilities.

Re:Not really important to me

[dwinks616]

People misusing "pet peeves" is one of my peeves. Notice I didn't say "one of my pet peeves" since pet in this sense means "one above all others", thus is not something you can have more than one of.

Dupe

[VGPowerlord]

Original Slashdot story from December 3rd.

Re:Dupe

[wiredmikey]

Yes, they mentioned it earlier, today it appears to actually be in action and built into the latest beta of the product.

Flash cookies

[140Mandak262Jamuna]

Can the sandboxing be done in such a way that all the data written by FlashPlayer in local storage can be erased when it goes out of scope? Every invocation of flash player will be on a freshly cleared local storage and one flash run will not be able to retrieve cookies and other persistent data?

Re:Flash cookies

[beakerMeep]

There isnt anything wrong with the concept of persistent local storage, the problem is multiple persistent local storage areas that a user has to jump through hoops to clear. HTML5, Cookies, and Flash Cookies all have this issue.

Re:Flash cookies

[ADRA]

I could see this breaking sites that actually use those cookies for something meaningful across invocations. I'm surprised that Adobe didn't just go down Java's route and use the browser's built-in cookie management system for taking care of their own cookie needs.

Re:Flash cookies

[Joe+U]

I could see this breaking sites that actually use those cookies for something meaningful across invocations. I'm surprised that Adobe didn't just go down Java's route and use the browser's built-in cookie management system for taking care of their own cookie needs.

Those are easy to manage. Flash cookies, not as easy.

Well, not unless you understand how to create a RAMdrive and are familiar with MKLINK (in Windows).

I like my RAMdrive, so many things live there, albeit shortly.

Re:Flash cookies

[clone52431]

Flash cookies, not as easy.

Well, not unless you understand how to create a RAMdrive and are familiar with MKLINK (in Windows).

They’re just stored in your application data folder. Firefox has addons that will automatically delete Flash cookies (e.g. BetterPrivacy). Does Chrome? And even if Chrome doesn’t, it’d be easy enough to make a script that would do it on startup or shutdown.

Re:Flash cookies

[Joe+U]

Too much trouble.

I just point to a folder on the ramdrive and not only does flash get a little faster (very little), but there are no open files on the HDD.

All my browser temp files live there, that way when I'm browsing the laptop shuts down the HDD.

Re:Flash cookies

[clone52431]

Less trouble to install an extension than set up a RAMdrive, I think. Either way, it’s done and you can forget about it.

Re:Flash cookies

[Joe+U]

Less trouble to install an extension than set up a RAMdrive, I think. Either way, it’s done and you can forget about it.

Good point. It's my ramdrve.sys background, they were necessary way back when, so I tend to find a use for them now.

Re:Flash cookies

[HybridST]

The best upgrade to my portable rig with it's slow hard drive that i've made has been to add ram and move swap to ram(on heavily-tweaked xphome) leading to a 1400% (benchmarked!) speed increase for swapped data access! Now the system drive doesn't need to thrash constantly to handle FF with my 20-50 tab sessions, my DAW and games run much more smoothly and i can eke out more work from the workhorse system.

The naysayers will say to upgrade hardware or get a new system or drop in a second drive but for my purposes this has been a HUGE performance boost allowing my old hardware to last a lot longer than it otherwise would.

Now i just gotta figure out why my p4 2.8ghz sped up to 3.2ghz last week... still runs stable and wihin thermal tolerance though. My typical system uptime is on the order of 5-6 weeks only really shutting down to clean the cooling fins. As always YMMV.

Re:Flash cookies

[clone52431]

I know exactly what you mean. I’ve debugged slow WinXP machines for people where it turned out they were “slow” because they only had 256MB of RAM. Good grief, people, drop the $40 or $20 it takes to get a gig or a half a gig of RAM (and tell them no, I don’t want to pay $60 for you to unscrew the panel on the case and pop it in for me), your computer will run just fine...

Re:Flash cookies

[ADRA]

"i've made has been to add ram and move swap to ram"
Wow, please just turn off swapping all together and save yourself the trouble. You're just robbing from RAM the very resource that you need, RAM! The entire point for swapping is to save on RAM, and the very act of ram driving is taking away more of that precious resource. Just turn your swap off and kill the RAMDrive. I assure you that unless windows is on some serious drugs, your performance should improve.

Re:Better Score?

[Lloyd_Bryant]

This is most likely in response to their poor score in the NSS Labs report. Maybe their score will improve from 3%?

Er, no. That report evaluated performance against "socially engineered malware" only. In short, it tested how well the browser handled protecting the user from being careless or gullible.

Chrome's sandboxing is intended to limit the damage if an attack is encountered, not to keep the attack from happening by warning you that a given site hosts malware.

Fuck that.

Throw it into the trashcan.

It didn’t already?

[clone52431]

Heck, I think Firefox did it already... I think Flash must have released an unstable version recently. I’ve had Firefox lock up on me a couple of times. Killing the “plugin container” process in Task Manager immediately made Firefox start responding again and display an info bar on pages that had been using Flash saying that a plugin had crashed (gee, wonder why?) and suggesting that I reload the page.

Re:It didn’t already?

Heck, I think Firefox did it already...

Nope.

I think Flash must have released an unstable version recently. I’ve had Firefox lock up on me a couple of times. Killing the “plugin container” process in Task Manager immediately made Firefox start responding again and display an info bar on pages that had been using Flash saying that a plugin had crashed (gee, wonder why?) and suggesting that I reload the page.

Firefox is running the flash player in a separate process. That process is not sandboxed.

If an exploit in flash is discovered, and you visit a page with malarious flash content, the flash player process can do anything that the user running firefox can do. Deleting your home directory and grepping for strings that look like credit card numbers, for example. Sandboxing stops this by killing the flash process if it makes any syscalls.

Re:It didn’t already?

[clone52431]

Firefox is running the flash player in a separate process. That process is not sandboxed.

If an exploit in flash is discovered, and you visit a page with malarious flash content, the flash player process can do anything that the user running firefox can do.

Yeah, I wasn’t thinking about that subtlety. However, that’s still a form of sandboxing; it’s sandboxed away from the rest of the browser, though not sandboxed from the OS.

Re:It didn’t already?

[Enderandrew]

Chrome seperated the plugin as a seperate process, which Firefox then copied. But merely having the plugin as a seperate process does not mean the plugin is sandboxed. Flash still has access to install spyware on your computer. By placing the plugin in a sandbox, Flash doesn't have the right to hose your box.

Re:It didn’t already?

[clone52431]

Processes should already be running under limited user access, so I was thinking more in terms of stability than security. But you’re right.

A simpler and safer approach

[ThatsNotPudding]

would be to sandbox everything made by Adobe.

Re:A simpler and safer approach

[gstoddart]

would be to sandbox everything made by Adobe.

Or, don't install it if you can live without it.

The overwhelming majority of stuff that I do online doesn't need flash -- I see it in ads more than I do anything useful, and that gets blocked by noscript before it can discover that I don't even have Flash installed.

When I do need flash, I go into a fairly closed down VM image and run it -- and that's pretty rare, like twice/month tops. While I'm sure there are sites that people use that require it, I've always avoided it like mad and don't feel like I'm missing anything important.

Can I Has Flash Player?

[Anne_Nonymous]

Litter box, sandbox; both are full of sand and "Tootsie Rolls".

Re:Better Score?

[Trailrunner7]

No. This was actually announced 2 weeks ago by Google and Adobe, not today. http://blog.chromium.org/2010/12/rolling-out-sandbox-for-adobe-flash.html

Does this make it respect Incognito?

[brunes69]

If you browse in incognito mode does it then make all flash storage non-persistent? Because this is how the evercookie works across incognito.

Re:Does this make it respect Incognito?

the evercookie works across incognito.

False.

Not safe enough

[SirMasterboy]

I run my sandbox in a sandbox. That ought to be safe enough!

LOL

[Captain+Splendid]

As an admitted fan of the iOS line, that was comedy gold. Here's hoping the butthurt fanbois don't have mod points today.

Re:LOL

Hey, even in fanboi mode I agree with the statement and think it's funny.

I just happen to think it's a *good* thing!

Java did it

[guybrush3pwood]

... a long time ago. I'm not impressed.

Re:Java did it

... a long time ago. I'm not impressed.

No one uses web browsers or flash players written in Java. The chrome team made a browser with over 100e6 users with a sandboxed renderer. Then they created a sandboxed flash player and PDF viewer. These are not small accomplishments.

Suppose someone created a C/C++ compiler that completely prevented buffer overflows and supported existing code with only a recompile and a few small changes. They then went out and got 95% of desktop software in use to be compiled with it. Would you say this is not impressive, because Javaa already prevents buffer overflows? Of course not: The number of desktop applications written in Java is very small, and this project had an effect on real users.

Re:Java did it

[Neil+Boekend]

flash players written in Java.

That is just nasty. We'd need quantum computers to be able to run that!

Run the Browser in a VM

I've been thinking that the ultimate in browser security would be to use the Chrome "OS" to create a virtual machine for the browser, thus each "browser" would actually be it's own machine (VM). The only way for the browser to get files to the host machine would be through some sort of quarenteen folder or frtp like protocol. You'd have to install plug-ins in each VM but if something bad happened all you 'd have to do is start again. Bookmarks can be sync'd over the web.

Steve Jobs was right: Flash sucks

Here's proof. CPU usage reduction up to tenfold

Re:Steve Jobs was right: Flash sucks

[clone52431]

It couldn’t use hardware acceleration before. It can now. They’re releasing a new version that does.

I think you mean, Flash used to suck... and it wasn’t really entirely its fault.

Re:Better Score?

To be even more specific, the test evaluated the signature bases against a set of undisclosed URLs. And to note an odd quirk, the test heavily penalized all other browsers for pushing out signatures for these particular URLs a few hours after IE received its signatures. So, the reality could be that NSS biased their test schedule to coincide the IE signature updates, or they took their URL list from the same source as IE, or something else entirely. So, without actually disclosing their full source data and methodology, we simply have no objective way of concluding anything from that report.

Correlation

[Fujisawa+Sensei]

Since a sandbox is a literbox and a litterbox is really just a toilet. That would mean they're throwing flash in the toilet. Perfect!

Re:Correlation

[AmazingRuss]

Maybe kitty will come along soon and bury it.

Step Forward...

[theamarand]

I think this is a good step forward. I'd like to see the majority of plugins in a sandbox. I like to use them, but you can't always be 100% sure if you can trust them or not. Sure, there are applications that have been around for ages, are designed by good companies that have decent reputations - but what about that "must have app" that you're not completely sure about? I know on my Blackberry, each application has its own permissions. I can add and remove permissions at will, and even set them to prompt me. I've always found Internet Explorer a bit scary, but have never worried much about Firefox. With some plugins, it should be a no brainer: does a weather application need access to my hard drive, aside from a caching space? I don't think so. Possibly plugins could be vetted and reviewed by a committee, and given permissions within the browser/OS based on what they need to do, and each plugin would have a "safety rating" (red, yellow, green) so you can choose your exposure. If all of your plugins were "green," you'd know that the committee reviewed the code and set the permissions in such a way that your data could not be compromised. If code could not be reviewed, it would automatically be marked yellow or red. I like the idea of choice as equally well as I like safety and security.

My cat does better than Google.

He throws Flash in the litterbox.

Re:Better Score?

[Enderandrew]

The day they announced the Chrome browser they said they would work with Adobe toward this goal.

Re:Better Score?

Plus, Chrome supported semi-working sandboxed Flash for like 6 months, via --safe-plugins.

Um...

They didn't already do this?

Sandboxing 'protection'

[dugeen]

It's the user who's in the sandbox with Google software. No chance of turning off the fade-in, or the instant search keylogger.

It will not be fully closed.

[Neil+Boekend]

Something tells me the "we need monies!" department will trow a wrench in to the machinery.
The tracking cookies will not be blocked and thus there will be a way to "escape" the sandbox. Google is an advertisement company you know.

Disclaimer: I am a Google user. I am simply aware of their revenue stream.