Site isolation of Gecko-based browsers on Android

As we know Gecko browsers don’t have site isolation on Android. I really want to use Mull on Android, but some questions preventing me from switching. Is site isolation a big security concern? Are there many sites out there that can exploit this vulnerability? Should I open only one site per session when using Gecko-based browsers to mitigate the site isolation issue? What threat model is suitable for using Gecko browsers?

Don’t use Mull. The arkenfox user.js they are using, it is specifically made for desktop Firefox. Use any chromium browser, or the best Bromite.

Personally I just use default Firefox and its fine for me but its mostly threat model based. Ultimately you can use whatever you want if you deem it worth the hassle or “risk” for you.

Firefox android standsout a lot with uBO and is literally the best. But lack of features and slowness bothers me. I will try it next year when it matures enough.

1 Like

Is Bromite still worth using despite the fact that it is not up-to-date? Bromite chromium version is 106.0.5249.163 and the latest chromium version is 107.0.5304.94.

Personally I’d just use Brave. It seems a lot of people have lost faith in Bromite for whatever reason

I’d use it too, but Bitwarden autofill doesn’t work in Brave for me.

Really? When I used Brave it worked fine for me. Are all your toggles in bitwarden enabled?

It’s probably due to the lack of google services. Autofill works with accessibility service though, but sometimes it can be buggy.

1 Like

It seems a lot of people have lost faith in Bromite for whatever reason

It depends on your definition of faith.

Bromite disables JIT by default, JavaScript RCE will have hard time escaping sandbox, plus all GrapheneOS patches are applied to it. Lead dev of ROM didn’t like that they were accepting patches from their competing ROM, and instantly dismissed the project without second thought.

2 Likes

This thread is awful.

Isolation is clearly defined on my tables: Browsers - DivestOS Mobile

Bromite is consistently behind: https://divestos.org/misc/ch-dates.txt

Bromite does NOT include all of the Vanadium patches:

  • https //github[.]com/bromite/bromite/tree/master/build/patches
  • https //github[.]com/GrapheneOS/Vanadium/tree/13/patches

The arkenfox user.js they are using, it is specifically made for desktop Firefox.

This statement is meaningless. You’d think I’d maintain Mull for the past five years if it didn’t do anything?

edit: to actually elaborate on this:
Fenix compared to desktop:

  • RFP does not have letterboxing
  • RFP mangles languages and will always(?) send the system language
  • RFP does not allow the user to allow canvas access for a website
  • dFPI is not available, FPI is
  • FPI doesn’t partition service workers, Mull however disables them
  • mDNS protections for WebRTC are not available, Mull disables WebRTC
  • ETP Strict cannot be set via config, Mull changes the default in the code instead

JavaScript RCE will have hard time escaping sandbox

This doesn’t make it acceptable to fall behind and leave zero days hanging around.

5 Likes

Oh wow are you the creator/maintainer of Mull? Very impressive! I appreciate the work you do! Is there a good place to see the changelog for Mull?

Thanks for this reply. The impression I have from PrivacyGuides is that Firefox’s site isolation is worse than Chromium’s on both desktop and Android, but even moreso on Android. I’ve had trouble finding technical, in-depth info comparing the site isolation of the two browser engines so if you have any more info on the topic that pushes against this orthodoxy, I would love to hear them.

I see that on PrivacyTests.org: open-source tests of web browser privacy Mull performs nearly as well as Brave/Bromite in the “State Partitioning tests.” Does this give the full picture in terms of how effective the site isolation is or is there more too it?

@Gunther
please read my tables link, it details the difference between per-site process isolation and per-site data isolation.

privacytests.org only takes into account per-site data isolation.

2 Likes