WebKit security vs others

anonymous261 · May 7, 2025, 12:00am

Now that uBlock Origin Lite is coming to Safari and privacy could potentially improve on it, I’m starting to reflect on that browser’s security. This is a really broad question, but do you think WebKit beats Chromium in security? I haven’t seen much comparison of webkit with chromium or firefox, other than this article and this exerpt from Privacy Guides’s Onion Browser review

Onion Browser has historically been immune to Firefox-related vulnerabilities, but Safari is not known for its perfect security record either, and the number of eyes on Tor-related WebKit vulnerabilities is certainly far smaller than on Firefox/Gecko-related ones.

Webkit is also mostly in Javascript, which I think would give it an advantage compared to its memory unsafe competitors. Lastly, I know that Safari now can have Javascript Just In Time without Web Assembly. Are there any other major considerations I should be aware of?

HauntSanctuary · May 7, 2025, 7:08am

My only reaction to this is that Apple is sort of the masters of malicious compliance and like a petulant child, it would seek to undermine as much as it can where it can get away with. Still, it could still be better than nothing…

I am also interested to know because I cannot force the spouse to change gadgets like GrapheneOS. The spouse is still enamored with Apple’s walled garden.

anonfox · May 7, 2025, 9:14am

Webkit is written in C++, like Chromium, since Chromium is a Webkit fork.

They sandbox the webcontent, gpu, and network processes and parse media in out-of-process sandboxed service. Note that Android Chromium only sandboxes the webcontent and gpu processes. Site isolation (not per-site sandboxing, don’t confuse them) is not enabled by default yet though, while it’s partially enabled by default in Android Chromium, although you can fully enable it (Vanadium and Cromite do by default).

According to Apple, the Webkit memory allocator has better type isolation and metadata protection than Chromium’s (note that this blog post references the old malloc, and the newer one should be even more secure). Can’t say whether this assessment is accurate or not though. Also, Webkit has compiler hardening that is supposedly “isomorphic” to MiraclePtr.

Webkit JIT and CFI hardening is very well documented. Here’s a brief walkthrough. If you dislike JIT, you can disable it in lockdown mode, and still use websites that depend on wasm. It also reduces much more attack surface, and it’s only getting better. Android Chromium does not use CFI by default, although Vanadium incompletely enables it for forward integrity. Doesn’t look like they enable SCS.

They might have a memory safe font parser, but it seems to be currently enabled in lockdown mode only, and it’s not in stable Safari yet. They do seem to intend to enable it regardless of Lockdown mode. Chromium’s memory safe font parser has been recently rolled out.

There’s no equivalent to the Chromium heap sandbox afaik.

Swift is increasingly getting used in Webkit, such as for WebGPU. See SwiftBrowser too.

securitybrahh · May 7, 2025, 10:08am

I don’t think anything can beat this:

anonymous261 · May 7, 2025, 9:38pm

On the Webkit Github I see almost three times as much Javascript as there is C++, while the Chromium Github has almost three fourths C++.

I do see your point, though Trivalent and Safari do not share any operating systems

Topic		Replies	Views
Privacy of WebKit Engine Questions browsers	1	337	June 10, 2024
Safari vs brave on mac, which has better security? Questions	6	935	January 3, 2025
Mention iOS 17.4 non-WebKit browsers Site Development waiting	2	747	February 1, 2024
Safari Privacy Label in the app store Questions guide , browsers	11	519	January 23, 2024
Safari Web Apps vs Firebox Browser Containers General	6	1348	June 29, 2023

WebKit security vs others

Related topics