Post AvEDiUSCPHbAguKfVw by txt_file@chaos.social
 (DIR) More posts by txt_file@chaos.social
 (DIR) Post #AvDtTNKScGuPAPECFE by GrapheneOS@grapheneos.social
       2025-06-17T13:42:06Z
       
       1 likes, 1 repeats
       
       @js @txt_file @mozilla It is completely true. Firefox has no sandboxing for content on mobile. On desktop, it lacks completed site isolation. The site isolation feature on desktop has been largely but not fully implemented, and for a security feature it needs to be finished without remaining holes to be working. Firefox on desktop sandboxes content but with a much weaker sandbox than Chromium which does not properly protect browser data or sites from each other, and is far easier to bypass.
       
 (DIR) Post #AvDtaHnJamIe1q1Hdo by GrapheneOS@grapheneos.social
       2025-06-17T13:45:30Z
       
       1 likes, 1 repeats
       
       @js @txt_file @mozilla Firefox finally implemented multi-process on mobile but still without any content sandbox implemented, let alone site isolation (site isolation means sandboxing sites from each other and the browser itself). Firefox is getting close to having completed site isolation on desktop, but it is not done. Their sandbox on desktop is also much weaker and easier to escape. It also has much weaker exploit protections and far less work on finding/fixing bugs. It's a very soft target.
       
 (DIR) Post #AvDtnpS5lUR8BGYCBM by GrapheneOS@grapheneos.social
       2025-06-17T13:48:08Z
       
       1 likes, 1 repeats
       
       @js @txt_file @mozilla Firefox is dramatically worse at security compared to Chromium or most Chromium-based browsers. Privacy depends on security and is a complex topic, but Brave provides better anti-fingerprinting and other privacy features along with it being enabled by default.
       
 (DIR) Post #AvDwoeGZ8gdHdlF2q8 by GrapheneOS@grapheneos.social
       2025-06-17T13:50:25Z
       
       1 likes, 1 repeats
       
       @js @txt_file @mozilla Having each process in a basic sandbox does not make them isolated from each other when they have access to browser data and other sites via the APIs provided to them. Site isolation is not a given based on implementing sandboxing for each process. Site isolation is something they have had to implement beyond that and it's not completed. They have separated sites into their own processes but it's not a free feature to block them accessing more than they should be able to.
       
 (DIR) Post #AvDwokjV61LJhEpEm0 by GrapheneOS@grapheneos.social
       2025-06-17T13:52:04Z
       
       0 likes, 0 repeats
       
       @js @txt_file @mozilla Having each process in their own sandbox but able to access data for every site and the browser is not an implementation of site isolation. Firefox is providing similar semantics that Chromium was providing prior to site isolation being fully completed. It's a much weaker sandboxing implementation though, so it's also a lot easier to escape.Chromium had per-tab sandboxed processes from day 1 but it did not have site isolation until much later. It's not the same thing.
       
 (DIR) Post #AvDwoqbZGQYvuN9zF2 by GrapheneOS@grapheneos.social
       2025-06-17T13:53:30Z
       
       0 likes, 0 repeats
       
       @js @txt_file @mozilla For years, people had the wrong impression that Chromium's per-tab processes were protecting sites from each other and browser data from sites. It was not the case. They had to switch to strictly putting each site context into their own process including for iframes, etc. and then had to enforce strict boundaries between them at an IPC level. The broker process has to enforce not being able to access anything the site shouldn't be able to access at an OS process level.
       
 (DIR) Post #AvEDiUSCPHbAguKfVw by txt_file@chaos.social
       2025-06-17T10:51:26Z
       
       1 likes, 1 repeats
       
       because @mozilla thinks someone might be able to do harmful things with #WebUSB they do not want to add WebUSB to #firefox.I wonder if #mozilla has ever heard about the possibilities of JavaScript. 🙄 reference: https://mozilla.github.io/standards-positions/#webusb
       
 (DIR) Post #AvEDichNkiUsGJUuI4 by txt_file@chaos.social
       2025-06-17T11:06:21Z
       
       0 likes, 0 repeats
       
       So I can not use @mozilla #firefox to install @GrapheneOS. I have to use a Google based browser or do it manually.
       
 (DIR) Post #AvG6W80Fk2UYDuL4HQ by tipjip@bonn.social
       2025-06-18T06:41:36Z
       
       0 likes, 0 repeats
       
       @txt_file@mozilla @GrapheneOSTrue. And you also have to use Google hardware. It's .... strange.
       
 (DIR) Post #AvG6W9BHMWuDsOVO6a by txt_file@chaos.social
       2025-06-18T11:25:02Z
       
       0 likes, 0 repeats
       
       @tipjip actually no, it is not strange. If other vendors would provide 5 years of support _and_ upstreamed their drivers then @GrapheneOS would probably also support these devices. It seems that Google and Fairphone are the only companies that give such long support for devices.@calyxos is available for Google phones and some Motorola phones and Fairphone.
       
 (DIR) Post #AvG6WAErQhMh9nBlKK by GrapheneOS@grapheneos.social
       2025-06-18T15:19:11Z
       
       0 likes, 1 repeats
       
       @txt_file @tipjip CalyxOS is a non-hardened OS significantly rolling back privacy and security compared to the Android Open Source Project rather than improving it.https://eylenburg.github.io/android_comparison.htm is a good starting point showing the substantial differences between them.CalyxOS doesn't have similar security or support requirements for hardware and don't make the same use of Pixel hardware security features that we use. The non-Pixel devices they support don't meet basic security or support standards.