Comments on: Some aspects of security that have nothing to do with “sandboxing” and “process separation” http://blog.mozilla.org/bjacob/2012/01/18/some-aspects-of-security-that-have-nothing-to-do-with-sandboxing-and-process-separation/ Just another Blog.mozilla.com weblog Tue, 11 Dec 2012 02:32:08 +0000 hourly 1 http://wordpress.org/?v=3.5.1 By: Wladimir Palant http://blog.mozilla.org/bjacob/2012/01/18/some-aspects-of-security-that-have-nothing-to-do-with-sandboxing-and-process-separation/comment-page-1/#comment-2597 Wladimir Palant Wed, 18 Jan 2012 13:09:08 +0000 http://blog.mozilla.org/bjacob/?p=74#comment-2597 It’s sadly a side-effect of the “user education” done by the Google Chrome team. They popularized sandboxing for their marketing as *the* security solution without explaining its limitations. So we now have people running around with a checklist “Process separation? [ ] Sandboxing? [ ]” without thinking about whether they are asking the right questions.

Personally, I consider “process-per-tab” a stability and not a security feature. It’s quite wasteful as far as system resources go and it is actually unnecessary security-wise (as you said, if you found a way to circumvent the same-origin policy then you can use it on iframes in your own tab rather than trying to “hack” other tabs). It would be sufficient to have two processes – one for the browser UI and one for the content pages, like what the Firefox Mobile team did. But even that only makes sense if the content process is actually sandboxed and cannot do anything dangerous on its own. And then you have to consider the quality of the sandbox – what if the content process sends fake user input to the browser UI process, will it be tricked into doing something bad? That’s a very hard problem actually and I’m all but certain that the Chrome team managed to solve it completely. But thinking in terms of checklists is certainly easier.

]]>