It's still being worked on. https://bugzilla.mozilla.org/show_bug.cgi?id=1565196
Firefox
A place to discuss the news and latest developments on the open-source browser Firefox
Lol
- Bug with high priority
- A person clones it, assigns themselves
- doesnt have time, unassigns themselves
- Priority gets set lower
- A guy wants to work on it
- That guy doesnt work at Mozilla anymore
- The bug went from priority P5 to P1 and doesnt block anything anymore
This is really bad. Especially as it seems like not that big of a change.
- doesnt have time, unassigns themselves
Because someone else took over, as the person even says in a comment.
- Priority gets set lower
Priority got set back to the priority it was at 4 minutes before. The priority being changed was clearly a mistake.
- A guy wants to work on it
- That guy doesnt work at Mozilla anymore
OK?
- The bug went from priority P5 to P1 and doesnt block anything anymore
It got retriaged. There are processes for this and it's totally normal.
This is really bad. Especially as it seems like not that big of a change.
No it really isn't bad at all. And it's a massive change, the linked bug is a meta bug which means it is simply used to track the actual work. See all the bugs in the depends on section? That's where the real work happens and there has been a ton of progress made.
Also believe it or not, lots of discussion happens outside of bugs. You really have no idea what is going on just by looking at bug activity.
Man, 5 years. I know nothing about building a browser, but that seems… Long.
Was also asked about and answered in the recent AMA on reddit:
Shit thats not good if its true
What is the actual risk here?
I'm no professional, but from my research I've been doing, it appears that the risk (at least one of them) is that a hacker could in theory create a website that exploits this vulnerability. If you access their website, their site could be capable of stealing sensitive information from the other Firefox tabs that you may have loaded on the side, at any given time.
Seems like pretty big risk... Wtf how is this still a thing?
Kinda makes hard to keep telling people to switch
What they said isn't exactly true. The actual concerns are far more narrow than the way they worded it
it would be nice if you would narrow it down for everybody while we are here?
Well I'm not an expert and I don't feel like digging up all the specifics but the concerns generally are cookies. The person who replied here made it sound like Mozilla is letting websites steal your credit card number from open tabs or something
I too have a hard time telling whether the isolation features is a huge security risk or a minor one because things get too technical too quickly for me to follow.
Case in point, this website makes it sound relatively trivial just due 8 how technical it is (Ctrl+F for Firefox)
Yeah, the graphene people hate Firefox, but I don't really put too much stock in their opinion because there are places where they mention it in an alarmist way imo
While I respect the work that they have done, leader handling of Lois rossmann was out of line.
I am not really sure what his deal is or was, but he should stay away from making public appearances until he learns to behave in public facing situation. The spazzing was uncalled for.
I don't like to speculate, but I think it was mental illness, which may have started during the CopperheadOS days (the predecessor to Graphene).
Unfortunately, that does call into question the recommendations on that page, which I already had a little worry about because Vanadium is their thing, of course they're going to recommend it.
But I do genuinely want to know how significant of a risk this lack of isolation and sandboxing causes.
He is nuts in general. I would stay far far away from graphene
alright i see, that does make more sense but they can still ID with you a cookie on all your concurrent sessions?
i guess this aint a security risk per see but wtf.. why they even need cross site cookies if they can do this.
Cross site cookies specifically are the concern here. Other cookies cannot be read arbitrarily
i see, i thought they are turn off now by default? or at least there is a setting to block hem.
I'm not certain. The "strict" privacy setting in FF probably does block them. Not sure if it's default or not.
On FF on my android phone, I just checked and "strict" privacy mode is not on so I guess by default cross site cookies may be enabled. Thanks for asking these questions -- I'm setting that to Strict now.
You did all the work...
I do keep mine on strict tho
I don't see why it is not set by default tbh prolly breaks some bullshot websites
Yeah. Probably due to the fact that people will ignorantly declare firefox broken if they experience something like that. I don't think the standard setting is terrible for privacy either, btw, just a bit more permissive than "strict"
Because it is hard to implement
If a site can exploit the browser engine they can access other pages. Normally the sandbox would make a exploit stay local
Ty
Well I personally wouldn't trust anything Graphene says
Searching for fission
(their site isolation is called like that) in about:config
on Mull (FF Android 127) didnt give any obvious results