A multi-process architecture is just a prerequisite. Where is the actual sandboxing for content processes and other important processes which enforces security boundaries needed for meaninful site isolation?
3 Likes
Indeed, as mentioned above Firefox still does not use isolatedProcess service flag.
It is truly abysmal the state of Firefox on Android after all these years.
Pure neglect.
12 Likes
You can use orbot with brave to achieve the same effect
@anonfox
that won’t isolate sites to their own circuit.
1 Like
Honestly we should understand @Encounter5729’s sentiment that this is a good step in the right direction for Firefox and hold them accountable to that standard (which is stabilizing and enabling the isolatedProcess).
Now that I saw your fair responses.
Speaking of, people, please phrase properly next time, for the love of god.
4 Likes
Agreed. They started the rollout for Fission for Firefox desktop back in 2021, and only now are we getting it rolled out for Android. isolatedProcess will probably not be implemented in the near future, unfortunately, as it still has a lot of blockers.
DNS-over-HTTPS is another privacy/security feature which still isn’t here (except in IronFox, to my knowledge), and I bet the new features currently rolling out, like tab groups for desktop, won’t come anytime soon, either.
At the end of the day, it’s probably because of the small userbase of Firefox Android, but projects like Tor would benefit from security improvements, and we all know how important that is.
Nonetheless, I am happy improvements are being made.
2 Likes
It works if you enable it in about:config (or in the stable release: chrome://geckoview/content/config.xhtml) but yeah I wouldn’t really count that.
2 Likes
It is on IronFox, and the maximum level of protection is enabled by default, with Quad9 as the default provider
Too late to the party, they should have done it a long time ago by now. Seems like Mozilla forgot their roots & what made them so popular and at peak, once upon a time. The legendary “Fox”. But what will happen if they don’t keep/maintain this one thing and focus elsewhere!, Yes, Chrome has insane monopoly backed by tech giant and there are anticompetitive elements, but it’s not an excuse to stall the development. FF is still the only true independent browser except for when projects like Ladybird manifests. But until then “Brave” all the way.
network.proxy.autoconfig_url
???
This is the problem with using abbreviations. Maybe you should edit your original post and write out what you’re actually talking about here.
tbf, Chrome on Android relies on dynamic code loading, which, may be a bigger cause of concern than these other sandboxes it may have?
Ex: Graphene disables (ART) JIT & (memory) DCL on most if not all system components except Vanadium (WebView), I think.
Edit:
Wow. I didn’t know. Chrome uses what they call “magic pointers” which are also compressed? I wonder how it all even works properly with PAC (pointer authentication) let alone MTE (memory tags). Does Graphene/Vanadium have a write up anywhere on what went into it (if it wasn’t just a matter of flipping a build-time / compile-time / link-time / runtime flag)?
FF also needs DCL via memory.
No. Sandboxes are one of the biggest security hurdles in browsers.
Wdym?
Firefox is strange company turly though they are the primary browser company starting from netscape they do everything except browser.