Slashdot Mirror
Mozilla Is Working On a Chrome-Like 'Site Isolation' Feature For Firefox (bleepingcomputer.com)
An anonymous reader writes: "The Mozilla Foundation, the organization behind the Firefox browser, is working on adding a new feature to its browser that is similar to the Site Isolation feature that Google rolled out to Chrome users this year," reports Bleeping Computer. "[Chrome's] Site Isolation works by opening a new browser process for any domain/site the user loads in a tab." The feature has been recently rolled out to 99% of the Chrome userbase. "But Chrome won't be the only browser with Site Isolation," adds Bleeping Computer. "Work on a similar feature also began at Mozilla headquarters back in April, in a plan dubbed Project Fission." Mozilla engineers say that before rolling out Project Fission (Site Isolation), they need to optimize Firefox's memory usage first. Work has now started on shaving off 7MB of RAM from each Firefox content process in order to bring down per-process RAM usage to around 10MB, a limit Mozilla deems sustainable for rolling out Site Isolation.
Going for the nuclear option I see.
Let users whitelist domains they trust and run those without this feature. Also run advertising domains for the same advertising companies in the same processes. Also kill advertising processes when they cause the browser to exceed a certain amount of performance. There are a lot of web sites out there that are slow because there are dozens upon dozens of advertising relating domains on them.
But is it a full site isolation that also separates third party cookies per main site?
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Reading on this and the Chrome one, it seems this could be open to easy stealth-abuse by embedding several hundred iframes and slowing down everything.
Correct me if I am wrong.
I won't post a link to do it since I don't want to be responsible for some idiot potentially crashing their computer at work, but just duplicate <iframe src="google.tld"></iframe> and replace TLD with all of Googles ones. There's a few dozen of those.
I'm 99% sure it wouldn't work if you just copy-pasted Google.com since it likely isolates domains globally.
ADMITTEDLY this is minor since if you have a malicious site, you could do damage by embedding massive resolution images, screamers, window-open bombs, several hundred large GIF / canvas / SVG / DOM animations, etc.
Do you work at the EU or why don't you understand that you can block third party cookies in your browser settings?
If Firefox's implementation will be free software (or something that can easily become free software), Firefox will continue to allow anyone to inspect, modify, and share the software even commercially. This leads those who do such work to personally trust the code because they know what's in that code and if they find something they don't like (no matter how that is defined) they can improve the code (or get someone they trust to do this for them) and then they can distribute the improved code to help the community (including non-programmers, the majority of computer users). This also helps explain why other browsers including the Tor Browser derive from free software browsers such as Firefox.
Chrome, on the other hand, is nonfree software (proprietary, user-subjugating software); software which does not respect a user's software freedom. Therefore we can't determine all of what Chrome does, and if we find out it does something we don't like we have no permission to improve Chrome and distribute an improved version. Proprietary software developers are in a position of power over their users, which is an injustice to the users. So long as Chrome remains unvettable by its users Chrome remains untrustworthy by default. As the Free Software Foundation rightly points out, proprietary software is often malware: "the initial injustice of proprietary software often leads to further injustices: malicious functionalities". Any further assessment of Chrome means looking at proxies for its trustworthiness instead of going to the natural and logical place to make this determination—a program's source code. Then we get to the reputation of its developer—Google—a known participant in international mass surveillance (per Edward Snowden's leaks). It makes no sense to talk about the security and privacy benefits that come from a feature such as site isolation while relying on an inherently untrustworthy program to look out for your interests. You'll note that popularity of a program or its developer doesn't enter into any serious discussion of how much trust to place in these programs, or whether to recommend their use by others.
Digital Citizen
For years now, Firefox users have been pointing out that Firefox is a memory hog. Instead of admitting this to be true, we typically saw moz://a fanatics claim that Firefox didn't leak or waste memory, and that the users were describing a problem that didn't exist. Yet despite these memory usage issues supposedly 'not existing', we sure see a lot of release notes entries and other bragging from Firefox's developers about how they've supposedly reduced Firefox's memory usage!
App makers need to stop assuming they can solve the security problem. They always need to break the veil of their own internal firewalls to gain speed. THey need to assume they will make a mistake. Meanwhile yawning right in front of them is the OS level Sandbox tools (e.g. on macs a DTRACE derivative) that allows the entite process and every child process to live insode a resource restricted firewall and possible even a chroot jail. Limit what ports or what filesystems or what other OS level resource the app can have and the damage it can do if it goes rogue is sharply limited.
these are really easy to do! they are built into OSX and Linux (maybe windows too? don't know) and they don't seem to affect performance. So why don't apps use these??
Some drink at the fountain of knowledge. Others just gargle.
>"But is it a full site isolation that also separates third party cookies per main site?"
You can already do this in Firefox now...
https://support.mozilla.org/en...
firefox usage numbers have been decreasing ever since chrome's release. not because of the dumb things mozilla developers and leadership have done, but because they don't trick people into installing it (chrome as 'bundleware' on 'freeware' downloads), con people into thinking they "have to" (gmail, youtube, google banners, etc), don't regularly advertise on national television or in national publications (google and microsoft both do this).
despite its shortcomings, firefox is still the browser you should be using and the only browser you should be recommending to others. period.
Browser ARE using OS-level sandboxing internally.
Putting the entire browser into a single sandbox is possible but "the damage it can do if it goes rogue is sharply limited" isn't true. A compromised whole-brower-in-a-sandbox can listen to your microphone, watch your webcam, manipulate your online banking, access all your Web passwords, manipulate your Webmail, etc. It (maybe) can't mess with your other desktop applications but for many users that's of very little value.
Browsers are using those OS-level sandboxing tools to sandbox individual "content" subprocesses. A malicious site might exploit a bug to take over a content process, but those processes have very low rights compared to the main browser process. They typically can't access the filesystem at all, they can't directly access microphones and webcams (only indirectly, triggering browser UI to notify the user), etc.
Currently in Firefox code from different Web sites can share the same content process, which means a site compromising a content process can usually access content from other Web sites like online banking. This article is about improving Firefox so that is no longer the case.
..or does Mozilla seem to wait for Google to do something in Chrome before the react accordingly for Firefox?
Sometimes blocking third party cookies aren't an option since it causes some quirky side effects that only can be rectified by at least simulating that the cookie was set - set cookie, check that it was set and if not set mess up the display with some quite annoying content.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
32 Gb of RAM.
Domestic spying is now "Benign Information Gathering"
Statcounter lets you look by country.
http://gs.statcounter.com/brow...
http://gs.statcounter.com/brow...
http://gs.statcounter.com/brow...
http://gs.statcounter.com/brow...
Chrome is the dominate browser, with often chrome /webkit based ones coming in 2nd(or the Chinese one...).
So where is "over here" where no one uses chrome?
The spirit of resistance to government is so valuable on certain occasions that I wish it to be always kept alive
I'll go back to Firefox when they give back the option to white list / disable java script (no, no-script doesn't cut it) and cookies in an easy, comprehensive and coherent way.
Please define "easy, comprehensive and coherent". If you want easy, install the "JavaScript Switcher" extension by Suraj Jain to give each domain an off switch.