this post was submitted on 18 Jun 2024
59 points (91.5% liked)

Firefox

20363 readers
9 users here now

/c/firefox

A place to discuss the news and latest developments on the open-source browser Firefox.

Rules

1. Adhere to the instance rules

2. Be kind to one another

3. Communicate in a civil manner

Reporting

If you would like to bring an issue to the moderators attention, please use the "Create Report" feature on the offending comment or post and it will be reviewed as time allows.

founded 5 years ago
MODERATORS
k_o_t@lemmy.ml
golden_zealot@lemmy.ml
59
Did Firefox Stable for Android ever add Site Isolation? (lemmy.ml)
submitted 1 year ago* (last edited 1 year ago) by DreitonLullaby@lemmy.ml to c/firefox@lemmy.ml
39 comments fedilink hide all child comments
 

I heard around the internet that Firefox on Android does not have Site Isolation built-in yet. After a little bit of research, I learned that Site Isolation on Android was added in Firefox Nightly, appearing to have been added sometime in June 2023. What I can't find, though, is whether this has ever been added to any stable versions of Firefox yet. Does anyone know anything about this?

Update: After further research, it appears that Site Isolation is not currently a feature in stable version of Firefox on Android. I don't know with certainty if their information is up-to-date, but GrapheneOS (A well-known privacy/security-focused fork of Android) does not recommend using Firefox-based browsers on Android due to it's (apparently) lack of a Site Isolation feature. A snippet of what Graphene currently have to say about Firefox on Android/GrapheneOS from their usage guide page, is: "Avoid Gecko-based browsers like Firefox as they're currently much more vulnerable to exploitation and inherently add a huge amount of attack surface."

On a side-note, they also say about Firefox's current Site Isolation on desktop being weaker, which I wasn't aware of. "Even in the desktop version, Firefox's sandbox is still substantially weaker (especially on Linux) and lacks full support for isolating sites from each other rather than only containing content as a whole."

you are viewing a single comment's thread
view the rest of the comments
[–] sunzu@kbin.run 1 points 1 year ago (1 children)

alright i see, that does make more sense but they can still ID with you a cookie on all your concurrent sessions?

i guess this aint a security risk per see but wtf.. why they even need cross site cookies if they can do this.

[–] TrickDacy@lemmy.world 2 points 1 year ago (1 children)

Cross site cookies specifically are the concern here. Other cookies cannot be read arbitrarily

[–] sunzu@kbin.run 1 points 1 year ago (2 children)

i see, i thought they are turn off now by default? or at least there is a setting to block hem.

[–] TrickDacy@lemmy.world 2 points 1 year ago (1 children)

On FF on my android phone, I just checked and "strict" privacy mode is not on so I guess by default cross site cookies may be enabled. Thanks for asking these questions -- I'm setting that to Strict now.

[–] sunzu@kbin.run 1 points 1 year ago (1 children)

You did all the work...

I do keep mine on strict tho

I don't see why it is not set by default tbh prolly breaks some bullshot websites

[–] TrickDacy@lemmy.world 2 points 1 year ago

Yeah. Probably due to the fact that people will ignorantly declare firefox broken if they experience something like that. I don't think the standard setting is terrible for privacy either, btw, just a bit more permissive than "strict"

[–] TrickDacy@lemmy.world 2 points 1 year ago* (last edited 1 year ago)

I'm not certain. The "strict" privacy setting in FF probably does block them. Not sure if it's default or not.