I heard around the internet that Firefox on Android does not have Site Isolation built-in yet. After a little bit of research, I learned that Site Isolation on Android was added in Firefox Nightly, appearing to have been added sometime in June 2023. What I can’t find, though, is whether this has ever been added to any stable versions of Firefox yet. Does anyone know anything about this?
Update: After further research, it appears that Site Isolation is not currently a feature in stable version of Firefox on Android. I don’t know with certainty if their information is up-to-date, but GrapheneOS (A well-known privacy/security-focused fork of Android) does not recommend using Firefox-based browsers on Android due to it’s (apparently) lack of a Site Isolation feature. A snippet of what Graphene currently have to say about Firefox on Android/GrapheneOS from their usage guide page, is: “Avoid Gecko-based browsers like Firefox as they’re currently much more vulnerable to exploitation and inherently add a huge amount of attack surface.”
On a side-note, they also say about Firefox’s current Site Isolation on desktop being weaker, which I wasn’t aware of. “Even in the desktop version, Firefox’s sandbox is still substantially weaker (especially on Linux) and lacks full support for isolating sites from each other rather than only containing content as a whole.”
It’s still being worked on. https://bugzilla.mozilla.org/show_bug.cgi?id=1565196
Lol
- Bug with high priority
- A person clones it, assigns themselves
- doesnt have time, unassigns themselves
- Priority gets set lower
- A guy wants to work on it
- That guy doesnt work at Mozilla anymore
- The bug went from priority P5 to P1 and doesnt block anything anymore
This is really bad. Especially as it seems like not that big of a change.
- doesnt have time, unassigns themselves
Because someone else took over, as the person even says in a comment.
- Priority gets set lower
Priority got set back to the priority it was at 4 minutes before. The priority being changed was clearly a mistake.
- A guy wants to work on it
- That guy doesnt work at Mozilla anymore
OK?
- The bug went from priority P5 to P1 and doesnt block anything anymore
It got retriaged. There are processes for this and it’s totally normal.
This is really bad. Especially as it seems like not that big of a change.
No it really isn’t bad at all. And it’s a massive change, the linked bug is a meta bug which means it is simply used to track the actual work. See all the bugs in the depends on section? That’s where the real work happens and there has been a ton of progress made.
Also believe it or not, lots of discussion happens outside of bugs. You really have no idea what is going on just by looking at bug activity.
Removed by mod
I’m not taking sides because I don’t currently have time or energy to look into the issues GrapheneOS and/or Micay may or may not have, but I will say that I don’t know how you could think (at least based on the information I referenced from Graphene in my post) that they are saying or implying to people that Firefox is less secure. They did say it was inherently less secure on Android, but not in general. They did say that the Site Isolation feature specifically is less secure even on Desktop, but they didn’t say that Firefox as a whole is inherently less secure, just that it currently is on Android. I can see how an average reader may interpret that as Firefox being less secure than Chromium as a whole, but that would simply be their own misinterpretation of what’s being said.
and “The moment anyone starts calling Firefox insecure, immediately become alert”. Why? Anything is capable of being insecure and Firefox equally so. At any given time, Firefox could have security vulnerabilities (as it does), so it’s quite ridiculous to automatically assume that anyone calling Firefox out for being insecure in some way is just Daniel Micay or his “minions”
“Micay and GrapheneOS, and fans/members associated like OP are well known for…”. Are you accusing me of being associated with Micay and GrapheneOS, or am I misunderstanding you?
Removed by mod
I’m not going to argue with you, because I can see it won’t accomplish anything good, so I’ll just leave it at this:
No, I did not promote the Chromium monopoly, I simply asked a question, about a security issue with Firefox; this is not the same as promotion. If I wanted to promote the monopoly, this post would have been telling people why they shouldn’t use Firefox and I would have posted it on a more broad community about Web Browsers and done so on Reddit for the most impact. I’m against this monopoly, and I intentionally go out of my way to not recommend Chromium-based browsers to people. Discussion about issues with something you love is only healthy, not a promotion of another side.
Removed by mod
deleted by creator
Reason for deletion: Decided it wasn’t worth arguing like my last comment said. The readers are smart enough to see what’s stupid about your comment without me having to defend myself.
Update: Oh, you deleted all your comments, good job.
Well I personally wouldn’t trust anything Graphene says
Was also asked about and answered in the recent AMA on reddit:
What is the actual risk here?
I’m no professional, but from my research I’ve been doing, it appears that the risk (at least one of them) is that a hacker could in theory create a website that exploits this vulnerability. If you access their website, their site could be capable of stealing sensitive information from the other Firefox tabs that you may have loaded on the side, at any given time.
Seems like pretty big risk… Wtf how is this still a thing?
Kinda makes hard to keep telling people to switch
What they said isn’t exactly true. The actual concerns are far more narrow than the way they worded it
it would be nice if you would narrow it down for everybody while we are here?
Well I’m not an expert and I don’t feel like digging up all the specifics but the concerns generally are cookies. The person who replied here made it sound like Mozilla is letting websites steal your credit card number from open tabs or something
I too have a hard time telling whether the isolation features is a huge security risk or a minor one because things get too technical too quickly for me to follow.
Case in point, this website makes it sound relatively trivial just due 8 how technical it is (Ctrl+F for Firefox)
