this post was submitted on 18 Jun 2024
59 points (91.5% liked)

Firefox

17804 readers
223 users here now

A place to discuss the news and latest developments on the open-source browser Firefox

founded 4 years ago
MODERATORS
 

I heard around the internet that Firefox on Android does not have Site Isolation built-in yet. After a little bit of research, I learned that Site Isolation on Android was added in Firefox Nightly, appearing to have been added sometime in June 2023. What I can't find, though, is whether this has ever been added to any stable versions of Firefox yet. Does anyone know anything about this?

Update: After further research, it appears that Site Isolation is not currently a feature in stable version of Firefox on Android. I don't know with certainty if their information is up-to-date, but GrapheneOS (A well-known privacy/security-focused fork of Android) does not recommend using Firefox-based browsers on Android due to it's (apparently) lack of a Site Isolation feature. A snippet of what Graphene currently have to say about Firefox on Android/GrapheneOS from their usage guide page, is: "Avoid Gecko-based browsers like Firefox as they're currently much more vulnerable to exploitation and inherently add a huge amount of attack surface."

On a side-note, they also say about Firefox's current Site Isolation on desktop being weaker, which I wasn't aware of. "Even in the desktop version, Firefox's sandbox is still substantially weaker (especially on Linux) and lacks full support for isolating sites from each other rather than only containing content as a whole."

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 6 points 4 months ago (2 children)

What is the actual risk here?

[–] [email protected] 5 points 4 months ago (1 children)

I'm no professional, but from my research I've been doing, it appears that the risk (at least one of them) is that a hacker could in theory create a website that exploits this vulnerability. If you access their website, their site could be capable of stealing sensitive information from the other Firefox tabs that you may have loaded on the side, at any given time.

[–] [email protected] 5 points 4 months ago* (last edited 4 months ago) (2 children)

Seems like pretty big risk... Wtf how is this still a thing?

Kinda makes hard to keep telling people to switch

[–] [email protected] 5 points 4 months ago (1 children)

What they said isn't exactly true. The actual concerns are far more narrow than the way they worded it

[–] [email protected] 4 points 4 months ago* (last edited 4 months ago) (1 children)

it would be nice if you would narrow it down for everybody while we are here?

[–] [email protected] 2 points 4 months ago (2 children)

Well I'm not an expert and I don't feel like digging up all the specifics but the concerns generally are cookies. The person who replied here made it sound like Mozilla is letting websites steal your credit card number from open tabs or something

[–] [email protected] 3 points 4 months ago* (last edited 4 months ago) (1 children)

I too have a hard time telling whether the isolation features is a huge security risk or a minor one because things get too technical too quickly for me to follow.

Case in point, this website makes it sound relatively trivial just due 8 how technical it is (Ctrl+F for Firefox)

https://grapheneos.org/usage#web-browsing

[–] [email protected] 3 points 4 months ago (1 children)

Yeah, the graphene people hate Firefox, but I don't really put too much stock in their opinion because there are places where they mention it in an alarmist way imo

[–] [email protected] 1 points 4 months ago (2 children)

While I respect the work that they have done, leader handling of Lois rossmann was out of line.

I am not really sure what his deal is or was, but he should stay away from making public appearances until he learns to behave in public facing situation. The spazzing was uncalled for.

[–] [email protected] 2 points 4 months ago

I don't like to speculate, but I think it was mental illness, which may have started during the CopperheadOS days (the predecessor to Graphene).

Unfortunately, that does call into question the recommendations on that page, which I already had a little worry about because Vanadium is their thing, of course they're going to recommend it.

But I do genuinely want to know how significant of a risk this lack of isolation and sandboxing causes.

[–] [email protected] 1 points 4 months ago

He is nuts in general. I would stay far far away from graphene

[–] [email protected] 1 points 4 months ago (1 children)

alright i see, that does make more sense but they can still ID with you a cookie on all your concurrent sessions?

i guess this aint a security risk per see but wtf.. why they even need cross site cookies if they can do this.

[–] [email protected] 2 points 4 months ago (1 children)

Cross site cookies specifically are the concern here. Other cookies cannot be read arbitrarily

[–] [email protected] 1 points 4 months ago (2 children)

i see, i thought they are turn off now by default? or at least there is a setting to block hem.

[–] [email protected] 2 points 4 months ago (1 children)

On FF on my android phone, I just checked and "strict" privacy mode is not on so I guess by default cross site cookies may be enabled. Thanks for asking these questions -- I'm setting that to Strict now.

[–] [email protected] 1 points 4 months ago (1 children)

You did all the work...

I do keep mine on strict tho

I don't see why it is not set by default tbh prolly breaks some bullshot websites

[–] [email protected] 2 points 4 months ago

Yeah. Probably due to the fact that people will ignorantly declare firefox broken if they experience something like that. I don't think the standard setting is terrible for privacy either, btw, just a bit more permissive than "strict"

[–] [email protected] 2 points 4 months ago* (last edited 4 months ago)

I'm not certain. The "strict" privacy setting in FF probably does block them. Not sure if it's default or not.

[–] [email protected] 1 points 4 months ago

Because it is hard to implement

[–] [email protected] 2 points 4 months ago (1 children)

If a site can exploit the browser engine they can access other pages. Normally the sandbox would make a exploit stay local