Sandboxing libraries with webasm is an interesting step forward, but on the whole, Firefox is still way behind chromium in security. There's still a massive amount of memory-unsafe code in Firefox, and the granularity and quality of the sandboxing ranges from significantly worse to comically worthless relative to chrome, depending on platform (e.g. audio, GPU, and network all live in the same process on linux, and escaping from that process is essentially trivial, because it has an X11 socket).
Thank you for this. Most people don't realise just how much effort has gone into securing chromium (and therefore chrome) and/or they conflate privacy and security.
One question, you mention memory unsafe code. Is chromium not written in C++? Isn't that still considered an "unsafe" language?
Yes, Chromium is basically entirely memory unsafe modulo mitigations [1], with the exception of some codecs being generated from a memory safe language. I meant that the memory safe parts of Firefox are a very small minority: it's also an enormous pile of memory unsafe C++.
Isn't that always true for any Firefox version?, at least with the correct 'about:config' tweaks. It could be more secure and private than others. Maybe the defaults are not that great but still better than others default.
No, it has not been that way. For a long time Google Chrome was the only browser that had sandboxing by using separate processes for each tab (essentially).
For a long time, Firefox did not isolate different different websites in different processes. Today, Firefox has something similar to process sandboxing afaik but it took them some time to do it because their browser has a very old codebase and it took time for them to disentangle everything to provide this feature.
Over the years, Chrome's sandbox has not stood still. It has become more and more sophisticated with various other features added (e.g. sandboxing in Linux using seccomp BPF -- e.g. https://chromium.googlesource.com/chromium/src/+/0e94f26e8/d... ). BTW web searching reveals that firefox is using seccomp too now. However, I don't know the details.
So it would be interesting for someone to have a comparison between the two today.
However, with RLBox, Firefox has added a very powerful sandboxing technology that goes beyond process isolation.
Its quite impressive and I do think that Firefox can now have grounds to argue that it's more secure than Chrome.
Wow, I never knew this existed. It's not even listed on the download page as "FireFox Developer", you need to click "Learn more about dev tools". From what I can tell, it's normal Firefox, but with added experimental features turned on.
Is this just a tweaked and tuned Firefox release aimed at developers? I like how they also go out of the way to enable dark theming :-)
Wow, didn't know this was available! They should add a message when the dev tools is opened to let developers know avout this developer edition. Thanks, will give it a try!
Firefox has Resend and Edit and Resend in the network pane, Chromium can debug NodeJS, has a unified sources tab that let's you edit files and (if you set it up) save them, and becomes unresponsive when prettifying large js files faster than Firefox. Those are the only differences I know of.
Firefox recently revamped the performance tools, that was the only thing keeping me in Chrome's developer tools. The new tools in Firefox beat out Chrome imo.
Difficult to pinpoint specifics, it's probably a matter of personal preference. I just enjoy working in Firefox's performance tools more than I enjoy working in Chrome's now.
Previously Fx lacked so many features that existed in Chrome that you couldn't really compare them.