I heard around the internet that Firefox on Android does not have Site Isolation built-in yet. After a little bit of research, I learned that Site Isolation on Android was added in Firefox Nightly, appearing to have been added sometime in June 2023. What I can’t find, though, is whether this has ever been added to any stable versions of Firefox yet. Does anyone know anything about this?

Update: After further research, it appears that Site Isolation is not currently a feature in stable version of Firefox on Android. I don’t know with certainty if their information is up-to-date, but GrapheneOS (A well-known privacy/security-focused fork of Android) does not recommend using Firefox-based browsers on Android due to it’s (apparently) lack of a Site Isolation feature. A snippet of what Graphene currently have to say about Firefox on Android/GrapheneOS from their usage guide page, is: “Avoid Gecko-based browsers like Firefox as they’re currently much more vulnerable to exploitation and inherently add a huge amount of attack surface.”

On a side-note, they also say about Firefox’s current Site Isolation on desktop being weaker, which I wasn’t aware of. “Even in the desktop version, Firefox’s sandbox is still substantially weaker (especially on Linux) and lacks full support for isolating sites from each other rather than only containing content as a whole.”

    • boredsquirrel
      link
      fedilink
      30
      edit-2
      6 months ago

      Lol

      1. Bug with high priority
      2. A person clones it, assigns themselves
      3. doesnt have time, unassigns themselves
      4. Priority gets set lower
      5. A guy wants to work on it
      6. That guy doesnt work at Mozilla anymore
      7. The bug went from priority P5 to P1 and doesnt block anything anymore

      This is really bad. Especially as it seems like not that big of a change.

      • @[email protected]
        link
        fedilink
        7
        edit-2
        6 months ago
        1. doesnt have time, unassigns themselves

        Because someone else took over, as the person even says in a comment.

        1. Priority gets set lower

        Priority got set back to the priority it was at 4 minutes before. The priority being changed was clearly a mistake.

        1. A guy wants to work on it
        2. That guy doesnt work at Mozilla anymore

        OK?

        1. The bug went from priority P5 to P1 and doesnt block anything anymore

        It got retriaged. There are processes for this and it’s totally normal.

        This is really bad. Especially as it seems like not that big of a change.

        No it really isn’t bad at all. And it’s a massive change, the linked bug is a meta bug which means it is simply used to track the actual work. See all the bugs in the depends on section? That’s where the real work happens and there has been a ton of progress made.

        Also believe it or not, lots of discussion happens outside of bugs. You really have no idea what is going on just by looking at bug activity.

    • pizzaboi
      link
      fedilink
      English
      166 months ago

      Man, 5 years. I know nothing about building a browser, but that seems… Long.

    • @[email protected]OP
      link
      fedilink
      56 months ago

      I’m no professional, but from my research I’ve been doing, it appears that the risk (at least one of them) is that a hacker could in theory create a website that exploits this vulnerability. If you access their website, their site could be capable of stealing sensitive information from the other Firefox tabs that you may have loaded on the side, at any given time.

      • sunzu
        link
        fedilink
        5
        edit-2
        6 months ago

        Seems like pretty big risk… Wtf how is this still a thing?

        Kinda makes hard to keep telling people to switch

        • @TrickDacy
          link
          46 months ago

          What they said isn’t exactly true. The actual concerns are far more narrow than the way they worded it

          • sunzu
            link
            fedilink
            4
            edit-2
            6 months ago

            it would be nice if you would narrow it down for everybody while we are here?

            • @TrickDacy
              link
              26 months ago

              Well I’m not an expert and I don’t feel like digging up all the specifics but the concerns generally are cookies. The person who replied here made it sound like Mozilla is letting websites steal your credit card number from open tabs or something

              • @[email protected]
                link
                fedilink
                3
                edit-2
                6 months ago

                I too have a hard time telling whether the isolation features is a huge security risk or a minor one because things get too technical too quickly for me to follow.

                Case in point, this website makes it sound relatively trivial just due 8 how technical it is (Ctrl+F for Firefox)

                https://grapheneos.org/usage#web-browsing

                • @TrickDacy
                  link
                  36 months ago

                  Yeah, the graphene people hate Firefox, but I don’t really put too much stock in their opinion because there are places where they mention it in an alarmist way imo

              • sunzu
                link
                fedilink
                16 months ago

                alright i see, that does make more sense but they can still ID with you a cookie on all your concurrent sessions?

                i guess this aint a security risk per see but wtf… why they even need cross site cookies if they can do this.

                • @TrickDacy
                  link
                  26 months ago

                  Cross site cookies specifically are the concern here. Other cookies cannot be read arbitrarily

    • Possibly linux
      link
      fedilink
      English
      26 months ago

      If a site can exploit the browser engine they can access other pages. Normally the sandbox would make a exploit stay local

  • boredsquirrel
    link
    fedilink
    36 months ago

    Searching for fission (their site isolation is called like that) in about:config on Mull (FF Android 127) didnt give any obvious results