Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Firefox The Internet Linux

Firefox 57 Brings Better Sandboxing on Linux (bleepingcomputer.com) 124

Catalin Cimpanu, writing for BleepingComputer: Firefox 57, set to be released tomorrow, will ship with improvements to the browser's sandbox security feature for Linux users. The Firefox sandboxing feature isolates the browser from the operating system in a way to prevent web attacks from using a vulnerability in the browser engine and its legitimate functions to attack the underlying operating system, place malware on the filesystem, or steal local files. Chrome has always run inside a sandbox. Initially, Firefox ran only a few plugins inside a sandbox -- such as Flash, DRM, and other multimedia encoding plugins.
This discussion has been archived. No new comments can be posted.

Firefox 57 Brings Better Sandboxing on Linux

Comments Filter:
  • Firefoxalypse (Score:5, Insightful)

    by freeze128 ( 544774 ) on Monday November 13, 2017 @03:08PM (#55542393)
    I dread updating to Firefox 57, because it will break all of my plugins.
    • Re: Firefoxalypse (Score:3, Insightful)

      by Anonymous Coward

      The Firefox develops gave plenty of notice of this change, allowing add-on developers lots of time to upgrade and ensure their add-ons still work. This increases the speed of the browser dramatically. Don't blame the Firefox developers who are creating a better product. Blame the lazy add-on developers who haven't upgraded their add-ons. Alternatively, use an ESR release. Regardless, stop whining.

      • by Anonymous Coward

        Only waterfox has no problem being both fast and support xul pluggins.

        Yoi call people who have developed a fully functional codebase lazy because the don't adjust their priorities in line with a dick move.

        • by Anonymous Coward

          If it matters that much to you, volunteer your own time, fork Firefox 56, and maintain it yourself. Firefox is open source so you have the freedom to do that. Anything else is whining and making demands of other people's time when they have no obligation to you. Stop complaining and fork Firefox if you care so much.

          • by uncqual ( 836337 )

            freeze128 doesn't appear to be demanding anything of anyone. He is just observing that he dreads upgrading (just as I observed that I won't be upgrading and will be switching browsers).

        • Re: (Score:2, Insightful)

          by Anonymous Coward

          Except that Waterfox is not its own browser, it's wholly reliant on whatever the Firefox developers do. Once they stop overworking themselves by maintaining Firefox's legacy while updating it, and just pull out those bits, Waterfox will be fucked. Daydreaming about how easy it is to maintain XUL is just not going to get it done. There is no covert army of coders just waiting to take up the torch; if such a team existed they would have fixed the problems before things got to this point.

          The whole "lazy" angle

        • Only waterfox has no problem being both fast and support xul pluggins.

          Do you have benchmarks to prove it? I'd like to see the numbers on latest Waterfox versus Firefox 57, comparing both with and without add-ons installed.

      • Re: (Score:1, Insightful)

        by Anonymous Coward

        But Mozilla has removed APIs so many of the plugins are impossible to implement again.

        • Re: (Score:2, Insightful)

          by Anonymous Coward

          It's not that they removed them, but they simply haven't (or won't) implement them. The reason, as far as I can tell, is that they refuse to admit that there are better (or simply different) ways to design the interface.

      • Re: (Score:3, Insightful)

        by Anonymous Coward

        The Firefox develops gave plenty of notice of this change, allowing add-on developers lots of time to upgrade and ensure their add-ons still work. ...

        The amount of advance notice is irrelevant. The fact that the switch to Web Extensions is being driven by the calendar rather than the readiness of the software is the problem.

        The new add-on interface still lacks functionality. There are many things that a Web Extension simply can't do, but that can be done by traditional Firefox add-ons. To add insult to injury, the Mozilla team isn't treating these gaps as a high priority. Their attitude seems to be "tell us what you're missing and maybe we'll add it late

        • Re: Firefoxalypse (Score:5, Informative)

          by KiloByte ( 825081 ) on Monday November 13, 2017 @04:18PM (#55542917)

          Out of 37 extensions I use, there are WebExt equivalents for, *drumroll* 11. That much only because I spent some time looking for replacements.

          APIs that would be required to reimplement those extensions aren't even coded yet, and any code that gets merged (which usually takes months) needs additional 18 weeks to percolate into an unstable ("non-ESR") release. With Firefox 52 EOL in June, the chances enough of extensions required for sane use will be ready by then are about nil. And the default, with nothing for privacy but tons of junk like Pocket or Telemetry, is almost as far from sanity as Chromium.

          I guess it's time to look into packaging Waterfox or another fork.

          • by Anonymous Coward

            If you want to stay at v56 a while, which is what I plan to do until the whole extension clusterfuck gets sorted out:

            sudo apt-mark hold firefox firefox-locale-en

            I don't use as many extensions as you, but still a solid half of the 12 or so I use have no v57 version, and many of them can't given the API limitations.

            This thing is being pushed out too early. First reach feature parity, THEN ship it.
            .

          • I guess it's time to look into packaging Waterfox or another fork.

            Pale Moon has come a long way, the compatibility issues and frequent crashes are both gone.

          • by jon3k ( 691256 )
            37 Extensions? I didn't even know there were that many. Mind sharing a list?
            • AdBlock Plus (the WebExt version is useless, BTW), bug489729. CanvasBlocker, Classic Theme Restorer, Cookie Monster, Decentraleyes, DNSSEC/TLSA Validator, Download Status Bar, some poo Youtube downloader I won't grace with naming, Font Information, Google Privacy, google-no-tracking-url, Html Validator, HTTP/2 Indicator, HTTPS Everywhere, I don't care about cookies, Iceweasel Branding, KeysDisable, Last tab close button, No Coin, Open in Browser, OverbiteFF, Perspectives, Privacy Settings, RequestPolicy Con

              • by jon3k ( 691256 )
                I lost it at OverbiteFF, I've actually played with that before.

                Seriously, how many do you actually need though? Two or three?
                • Seriously, how many do you actually need though? Two or three?

                  Need: AdBlock Plus, bug489729, Classic Theme Restorer (for sane UI), Cookie Monster, DNSSEC/TLSA Validator, I don't care about cookies (EU sites are useless otherwise), Open in Browser (you can't view a goddamn diff otherwise!!!1!elebenty-one!), RequestPolicy, Sage, YesScript (too many sites have anti-AdBlock javascript).

                  Want for privacy: Canvas Blocker, Decentraleyes, Google Privacy, google-no-tracking-url, Smart Referer.

                  The rest merely make life nicer. And indeed, OverbiteFF is dead weight.

              • by G00F ( 241765 )

                WOW! You are the second person I know to have more than 10ish. I know one person with 20's and they claim to be a plugin addict. I have 10, and think that's on the higher side. I set most people up with uBlock or Disconnect and that's it.

                Going over your extentions, some appear to duplicate what already exists. Examples: can use google to translate page. Can shift click to force right click. Seams many of your plugins wouldn't be needed if you used NoScript.

                FF 57 with no NoScript, ment that I use Pale Moon

                • Sadly, a majority of web pages are unusable or seriously degraded with NoScript. Even Slashdot is uncomfortable to read.

                  That's why I use RequestPolicy to kill most third-party stuff, but default to allowing first-party scripts. Certain offenders then get smacked down with YesScript.

      • Re: Firefoxalypse (Score:5, Insightful)

        by Anonymous Coward on Monday November 13, 2017 @05:17PM (#55543341)

        That's great, except for the part where some plugins CANNOT be implemented under the new API.

        And the part where a whole ecosystem of perfectly good extensions created by volunteers for free is being discarded without a viable replacement for many of them.

      • The Firefox develops gave plenty of notice of this change, allowing add-on developers lots of time to upgrade and ensure their add-ons still work.

        Yet they mark some admittedly missing WebExtension functionality as "wontfix". See comment 11 by Andy McKay to Bug 1325692 - [commands] Explicit support for overriding built-in keyboard shortcuts by WebExtensions [mozilla.org]: "Removing flags, this API is not going to be written in time to for Firefox 57."

      • Re: Firefoxalypse (Score:4, Insightful)

        by doom ( 14564 ) <doom@kzsu.stanford.edu> on Monday November 13, 2017 @10:52PM (#55545097) Homepage Journal

        Blame the lazy add-on developers who haven't upgraded their add-ons.

        Let me enlighten you about a secret of software projects: if you want to be taken seriously as a platform for third-party developers, breakage-on-upgrade is never acceptable. And accusing them of being lazy is an excellent way of driving them away.

        Alternatively, use an ESR release.

        Which staves off the problem only temporarily. I would suggest the waterfox fork, or possibly palemoon.

        Regardless, stop whining.

        You first.

    • Re: (Score:3, Informative)

      then run the LTS for a while. AFAICT, the plan is they're going to increase the featureset available to plugins afer 57.0. with luck what you want will mostly be available by the time the LTS expires.

      • by uncqual ( 836337 )

        But, people who are already running 56 have no trivial LTS option - in a recent release (54?) Mozilla declared that backwards compatibility is not supported (I'd check the release notes again but find them extremely hard/counter-intuitive to find on the new FF website design - apparently it's focused on looking "cool" and trying to "sell" rather than focusing on trying to be functional and on providing information). Sure, you could reenter all your passwords, export/import your bookmarks (to some non FF for

    • Re: (Score:3, Informative)

      by nmb3000 ( 741169 )

      I dread updating to Firefox 57, because it will break all of my plugins.

      Apparently some editions of version 57 will continue to support "legacy" (bootstrap, XUL, etc) addons [mozilla.org] via a preference setting, including the developer and unbranded versions. This might be an option if you really want to upgrade to 57 but still want your addons.

      Personally 56 is the end of the Firefox line for me. I completely reject the horrible Australis interface and the push towards the gimped and incapable Chrome-style Web Extensions. Firefox had a good run, but its Chromification is now complete an

      • Re:Firefoxalypse (Score:4, Insightful)

        by Anonymous Coward on Monday November 13, 2017 @04:03PM (#55542803)

        I've heard this so many times it seems like Chrome/Edge propaganda now. Why so negative on the visuals of the browser? WHO GIVES A FLIPPITY DO DAH what the browser looks like? Is that REALLY the criteria you judge software on? The shape of the buttons and tabs?

        Fine, quit Firefox, but they are adding more and more support for privacy while all the other browsers are removing it or don't give to diddly flips about it. Hand over your data to GOOGLE using a chrome WHICH LOOKS LIKE AUSTRALIS ANYWAYS!

        *Caps for emphasis on the total idiocy of these kinds of remarks.

        Repeat after me, ditching software A because it's ugly for software B that is also ugly is stupid logic.

        • by jez9999 ( 618189 )

          Is that REALLY the criteria you judge software on? The shape of the buttons and tabs?

          YES. The size of buttons and other UI elements, the colourfulness and skilfulness of the icon design to make icons clear and pretty, and the fact that the UI functionality is even there in the first place (bookmarks sidebar, separate search bar, status bar, live bookmarks toolbar, etc.) are all important.

          • by roca ( 43122 )

            Good thing those are all still there in 57 then. (Except maybe live bookmarks; I'm not sure about that.)

        • >"Why so negative on the visuals of the browser? WHO GIVES A FLIPPITY DO DAH what the browser looks like? Is that REALLY the criteria you judge software on? The shape of the buttons and tabs?"

          It is not just how it looks but how it operates. Some of us want tabs on bottom. Some of us want sane, traditional "file" menus for fast access and easy training. Some of us want a status bar. Some of us want predictable forward, back, reload, and home buttons that are together, don't disappear in context, or ar

          • Some of us want sane, traditional "file" menus

            The menus are in Firefox on Windows. Turn on the Menu Bar via the Hamburger menu -> Customize -> Toolbars options (or press F10 to turn them on and then select View -> Toolbars -> Menu Bar to keep them on).

            Some of us want predictable forward, back, reload, and home buttons that are together, don't disappear in context, or are not combined into some moving monster.

            That's how Firefox 57's UI is working for me. I use the Light theme (one of the three themes included in Firefox 57 by default) with the Compact density setting. See the Customize settings page.

            And it is unclear if those will ever gain the ACTUAL improvements Mozilla has added to Firefox for performance, memory usage, and security.

            So just use Firefox and customize the UI CSS [ghacks.net] if you really want to [github.com].

        • by nmb3000 ( 741169 )

          Why so negative on the visuals of the browser?

          Aside from the fact that I find it subjectively ugly, I dislike it because I think the design is unusable outside of a very base case of 2-4 tabs. Tabs-on-top is also a huge pain in the ass when using Remote Desktop or anything else that puts a bar along the top of the screen. It also goes against all OS design guidelines by removing the window title bar and system menus which makes muscle memory around those UI elements worthless. I could go on, but it doesn't really matter.

          Is that REALLY the criteria you judge software on? The shape of the buttons and tabs?

          Of course. These UI elements

          • It also goes against all OS design guidelines by removing the window title bar and system menus

            You can turn on the Menu Bar in Firefox via the UI Customize settings (Hamburger menu -> Customize) or by pressing F10 to turn them on and selecting View -> Toolbars -> Menu Bar to keep them on.

            So far I've been content to fix these problems using a UI addon, but every single one of those is made non-functional in version 57.

            You can customize the UI via the built-in Customize settings. You can also modify the UI CSS [ghacks.net] if you really want to [github.com].

            watching it turn into a mini-me of Chrome is soul-crushing. Honestly, I'm really hoping that the 57 fiasco

            Firefox isn't a mini-me of Chrome and there is no fiasco. Relax. Don't worry, be happy [youtube.com]. You'll feel better.

          • by jon3k ( 691256 )

            Aside from the fact that I find it subjectively ugly, I dislike it because I think the design is unusable outside of a very base case of 2-4 tabs. Tabs-on-top is also a huge pain in the ass when using Remote Desktop or anything else that puts a bar along the top of the screen. It also goes against all OS design guidelines by removing the window title bar and system menus which makes muscle memory around those UI elements worthless. I could go on, but it doesn't really matter.

            You can hide the connection bar [ravingroo.com]. There's also Tree Style Tabs [mozilla.org].

          • You can add the title bar back through the UI customization.

            It's almost as if you haven't actually made any effort, and jumped straight to baseless complaints instead.

      • I've been using Waterfox for several years as my default browser. I keep a copy of Google IE6...er I mean Chrome for those web sites that employ less than compliant coding. I originally ran it on my Windows 7 gaming PC but now have it running on my Mint and Android devices as well. While purely anecdotal I feel like Waterfox is much faster than Firefox and comparable to Chrome in most regards. I haven't tried Pale Moon for a couple of years so I can't say how it compares to Waterfox currently.
      • Personally 56 is the end of the Firefox line for me. I completely reject the horrible Australis interface and the push towards the gimped and incapable Chrome-style Web Extensions. Firefox had a good run, but its Chromification is now complete and there's little reason to continue using it.

        Same here, even though I didn't have a problem with Australis, so I'll stick with ESR for a few months and then move to Pale Moon. There's an Adblock Plus XUL-based fork for Pale Moon, so everything is ready for the move.

      • Re:Firefoxalypse (Score:4, Informative)

        by DarkOx ( 621550 ) on Monday November 13, 2017 @04:52PM (#55543163) Journal

        Why don't you just go back to the still maintained Seamonkey suite? It supports all the best FF extensions.

    • Even this sandbox is broken, as it breaks any non-trivial audio that requires a plugin.

      • Then download the source code for the plug-in, exercise your right under the source code's free software license to transpile it to JavaScript and port it to the Web Audio API, and use one of the *monkey extensions to insert it into every page that requires said plug-in. Or hire someone to.

        • Then download the source code for the plug-in, exercise your right under the source code's free software license to transpile it to JavaScript and port it to the Web Audio API, and use one of the *monkey extensions to insert it into every page that requires said plug-in. Or hire someone to.

          How exactly do I "transpile" a honest LD_PRELOAD library (and its dependencies) to JavaScript? And how do you propose to call ioctls from JavaScript injected into a page?

          • How exactly do I "transpile" a honest LD_PRELOAD library (and its dependencies) to JavaScript?

            First you obtain its source code, and then you use Clang with the Emscripten or WebAssembly target.

            And how do you propose to call ioctls from JavaScript injected into a page?

            By writing a shim that translates audio ioctls to their corresponding Web Audio API calls. In some cases, it may be easier to delete all the operating system integration, keeping only the codec proper, and write a new Web Audio API integration.

            • easier to delete all the operating system integration, keeping only the codec proper, and write a new Web Audio API integration

              That can work if all you want is some codec, rather than making audio work at all. That "Web Audio API" won't work if the browser itself can't output sound.

              • by tepples ( 727027 )

                In the HTML5 model, integration with the operating system's audio output API is the responsibility of the browser, not the plug-in. If your browser can't play sound, your browser is broken.

    • by Anonymous Coward

      Noscript is still flagged Legacy. I won't upgrade until it's available.

      I run Adblock Plus, Ublock Origin, and Noscript. They're all turned up to 11, and they still manage to block different things.

      • by Luckyo ( 1726890 )

        Noscript, instead of all the grandstanding is apparently simply not portable. The functionality needed in the API does not exist.

        In before a bunch of knights in shining armour start quoting Noscript's author from months ago. Yeah, he said it might be possible and that it was a high priority to firefox team themselves to get it working. And even with that level of support, it still hasn't been done. Draw the relevant conclusions and understand you're being lied to.

      • Why both ABP and uBO? They overlap completely. Replace ABP with Privacy Badger instead.

    • by uncqual ( 836337 )

      I don't dread it, because I won't do it. After over a decade of loyal FF use, 56 is the end of the road for me as I've only found a comparable WebExtension plugin to ONE of the seven or so plugins I rely on. A major reason I have been loyal to FF, and tolerated its performance issues related to memory over the years, is because of the plugins.

      I actually regret upgrading to 56 from 55 -- performance dropped into a abyss upon installation (I now keep an about:memory tab open all the time so every so often I c

      • I can click on 'minimize memory' which resolves

        Sounds like you've got add-on problems. You should see if the problem persists with all add-ons disabled and maybe reset to a clean profile if you've been changing about:config settings (see about:support).

        • by uncqual ( 836337 )

          I've considered doing that, but since the problem cropped up simultaneously with the install of 56 and without any upgrades to add-ons (I don't allow automatic upgrades), I figure that probably isn't worth my time given that the lack of add-ons I want in 57 mean I'll be abandoning FF anyway -- small odds of buying a few more weeks or couple months (before some security problem goes unfixed in obsoleted 56) isn't worth the effort.

          • by uncqual ( 836337 )

            (I forgot to mention also, I don't screw around with about:config settings hardly ever -- and certainly not in the past couple of years).

          • I figure that probably isn't worth my time

            It's trivial to do. Go to about:support and click on "Restart with Add-ons Disabled" to run Firefox in safe mode. When you're finished with safe mode, exit Firefox and run it up again normally. There isn't much effort required.

      • by Trogre ( 513942 )

        So what do you plan to do? Fork the FF 55 codebase, or start your own browser engine from scratch?

        If it's the latter, please be kind enough to share it with the rest of us.

        • by uncqual ( 836337 )

          Probably sell out and switch to Chrome -- but I've not spent much time in it so plans could change (the only time I use it now is when some web site, unfortunately more frequent recently, doesn't work in FF but does in Chrome - presumably because the site doesn't bother to test as well on FF any more).

          But, nope, I'm not forking FF 55 and taking it over :) That's not the sort of system or code (or politics) I enjoy working on.

    • by jon3k ( 691256 )
      As a long time Chrome user I've been running Firefox Nightly on both Linux (Fedora 26) personally and on Windows at work, and it has been absolutely fantastic. The only plugins I use are: uBlock, RES, Vimium and Tab Session Manager but it has been wonderful so far. I have 40+ tabs open at any time and I haven't had a single issue, it's really been fantastic. The performance has been extremely good. The only caveat is that it seems to put tabs to "sleep" in the sense that if you don't use it for quite a
  • Download Link... (Score:5, Informative)

    by unique_parrot ( 1964434 ) on Monday November 13, 2017 @03:29PM (#55542567)
  • by hyades1 ( 1149581 ) <hyades1@hotmail.com> on Monday November 13, 2017 @03:35PM (#55542625)

    Is it called "Firefox 57" because that's how many users are left?

    • Is it called "Firefox 57" because that's how many users are left?

      I thought it was homage to Wesley Snipes Passenger 57 :)

  • by Anonymous Coward
    No Tab Mix Plus? It's not Firefox, it's Cripplefox. Fuck the crips.
  • by short ( 66530 ) on Monday November 13, 2017 @03:47PM (#55542705) Homepage
    Why does Slashdot always compare Firefox with proprietary Chrome when all the mentioned features does provide already Free Chromium?
    • Slashdot is manipulating our minds :)
    • Part of the problem is that there's really no standard "Chromium" as they all differ depending on who built it and what they decided to include/exclude. However, Google specifies exactly what's in Chrome so if someone says Chrome you know exactly what they are talking about.

      The same thing exists actually on the Firefox side. While the source code is open, Mozilla owns the Firefox trademark and keeps pretty strict rules on what you can call Firefox should you start distributing your own builds. So the Chr

  • by theweatherelectric ( 2007596 ) on Monday November 13, 2017 @03:56PM (#55542773)
    The BleepingComputer article adds nothing of value over the original blog post [morbo.org].
  • My games website was somewhat popular (1000s of views per day and this was the mid-90s so was a kind of big thing then) and I had a guy who regularly updated it for me. One day I decided to overhaul the design to make it something I thought looked more appropriate. I asked the guy and he said he didn't like it and preferred the current one but I was sure I was right so I ploughed ahead and replaced the site with the new design. He left, and the site viewership dwindled down and never recovered.

    Mozilla ki

  • Piro's Tree Style Tabs has been ported to 57:
    https://addons.mozilla.org/en-... [mozilla.org]

    So I'm on board. No other browser offers this functionality still and its my must have feature. Vivaldi has something similar, but not the same.

    I wish Video DownloadHelper would get ported though. That could be a problematic change.

Order and simplification are the first steps toward mastery of a subject -- the actual enemy is the unknown. -- Thomas Mann

Working...