Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Firefox Security

Firefox for Mac and Linux To Get a New Security Sandbox System (zdnet.com) 40

Mozilla will add a new security sandbox system to Firefox on Linux and Firefox on Mac. The new technology, named RLBox, works by separating third-party libraries from an app's native code. From a report: This process is called "sandboxing," and is a widely used technique that can prevent malicious code from escaping from within an app and executing at the OS level. RLBox is an innovative project because it takes sandboxing to the next level. Instead of isolating the app from the underlying operating system, RLBox separates an app's internal components -- namely its third-party libraries -- from the app's core engine. This technique prevents bugs and exploits found inside a third-party library from impacting another project that uses the same library.
This discussion has been archived. No new comments can be posted.

Firefox for Mac and Linux To Get a New Security Sandbox System

Comments Filter:
  • Sandboxes all the way down. I can have Firefox installed in Docker and all my plugins installed in RLBox. Now I just need to create a plugin that creates a sandbox from the sandbox.
    • You've got sandboxes covered. I'll bring a bucket of water and some toy trucks. Vrooom! Beep beep beep.... :)

    • I bet at the bottom of the sandbox you will find a turtle.
    • Comment removed based on user account deletion
    • Why doesn't Firefox sandbox its memory usage, so all the leaks are confined to the sandbox and you don't suddenly notice that 15.9GB on your 16GB machine is allocated to Firefox.

      While we're at it, sandboxing video playback so you can't bluescreen your machine by watching Youtube videos would be good too. This isn't machine-specific, it's endemic to Firefox, do a Google search.

    • Yeah, it essentially sandboxes the OS so it doesn't have access to the IME's stuff.

  • xkcd said it all (Score:4, Insightful)

    by ffkom ( 3519199 ) on Tuesday February 25, 2020 @04:27PM (#59766304)
    Just another turn in the sand-boxing circle of stupidity: https://xkcd.com/2044/ [xkcd.com]
  • ..and in effect a mini OS running in a real OS, then none of this nonsense would be required. Browsers should bin javascript and any other Turing complete programming subsystems and go back to being dumb presentation clients with the heavy lifting going on server side.

    • where the clients are carrying around super computers in their pockets. Also users want their websites to have all sorts of fancy features like being able to click "Reply to this" and getting a box where they can type their reply directly under the comment. Or fancy menus. Or animations that show when something is loading. Or any of a dozen or so UI features that are all nice to have....
      • by Retired ICS ( 6159680 ) on Tuesday February 25, 2020 @05:55PM (#59766542)

        I believe you are pleading facts not in evidence. I have never seen nor heard of anyone wanting websites to operate as you describe *except* so-called "web designer" crowd and their next-relatives "graphic designers". The former should be taken out behind the barn and beaten to death with baseball bats, and the latter confined to printed media (as in on paper).

        These two groups are, by themselves, completely and entirely responsible for everything that is wrong with the web.

        • These two groups are, by themselves, completely and entirely responsible for everything that is wrong with the web.

          Hold up now. Let's not forget to give some credit to the W3C for the banged up job they've been doing for targeting "apps" as the thing to compete with.

        • not that I've done a ton, but if I give a user a basic web page they complain it's hard to navigate and it looks old and tired. Companies don't redesign things just for fun. Especially B2B companies where I see a lot of these new UIs cropping up. Businesses, especially in America, will run the same stuff forever if they can, only changing it out when it breaks. It costs money to make these fancy websites, and no business is going to spend that money if they don't have to. The owner would be much happier to
      • There still are ANSI escape sequences to move the cursor to output the next characters at a specific location.

        Essentially, VNC is doing that exact thing graphically.

        So yeah, basically, at this point we could just jump to the NX protocol with added H.265 compression and such for streaming 3D games, movies etc.

        Hell, anyone tried building an input server that can be combined with YouTube live streams to get a full remote PC experience whem full-screen? :D

        Fuck, I will code it this weekend! Woohoo! Suck on that,

    • by gweihir ( 88907 )

      Indeed. This whole thing is very, very stupid. The worst I have seen is pushing 1.5MB of JS to the client to render a table that would have rendered entirely fine in plain HTML 2.0.

    • Browsers should bin javascript

      There are a whole lot of web functions that rely on AJAX to perform "as you type" data lookups and asynchronous updates. Javascript makes this possible. How do you think Slashdot's mod system works? It doesn't do a HTTP POST to record your mod. It uses AJAX to update the database leaving your browser page exactly where it was so you can continue reading posts.

      Just install any Javascript blocker in your browser and you should be a happy camper.

      • by Anonymous Coward

        Do you actually web? You know that AJAX requests can use any of the HTTP verbs. Right? Like DELETE, PUT, PATCH, POST, GET...

        Yes, they do make POSTs, you moron. They just don't do it where you can see it.

        TL; DR: AJAX and POST aren't mutually exclusive. To say AJAX doesn't make a POST is like saying rain isn't water because oceans are water.

        Also, you're a moron.

    • by AHuxley ( 892839 )
      An all Ada browser?
    • Even without scripting, a web browser uses many different libraries for supporting a large number of image, font, audio and video formats. Buffer overflows in those could compromise the browser.

      • Sure, but the vast majority of exploits in the wild are based on JS, presumably because it's easier to exploit in useful ways. While getting rid of it wouldn't offer immunity, it would force exploit authors to work harder, which would inevitably make it not worth the trouble for some of them and require more time and effort (and possibly money) for others.

        I don't think nuking JS is a viable option, but I'd be interested in seeing if it's possible to make a browser that takes a minimalist approach to JS a
  • Define "app".
    Define "third party library"

    I already have JavaScript and WebAssembly disabled. That completely prevents malicious code execution on my computer. I have no need of a "Sandbox" for the cat to piss in.

    • HTML5 itself is already Turing complete. Its interpreter is as complex, if not more so, than that of JS, let alone WebAssembly (which is currently useless without JS relaying).

      Also, since most of the web doesn't even work anymore without JS, you are disabling it all the time. Especially on sites that crackers would target.

  • If not, why would I want this?

  • by BAReFO0t ( 6240524 ) on Wednesday February 26, 2020 @03:33AM (#59767852)

    It's not a document browser in any way shape or form anymore!
    Just a shitty OS tied tightly to a shitty VM that would be better if it were a full VM and a full OS, as we could at least replace them independently.

You know you've landed gear-up when it takes full power to taxi.

Working...