Linked by Thom Holwerda on Wed 1st Dec 2010 22:59 UTC
Google Finally! After pioneering sandboxing of Javascript and tabs in the browser, Chrome is now finally busy moving Flash into a sandbox. Windows users of the dev channel have been fed the new release with Flash sandboxing already.
Order by: Score:
Sandboxing is nice...
by UltraZelda64 on Wed 1st Dec 2010 23:21 UTC
UltraZelda64
Member since:
2006-12-05

...but I'd prefer an Internet without having to use Flash, period.

Google didn't exactly make a good example when they decided to include Flash with Chrome by default. Nice way to strengthen Adobe's already ridiculous reach on the Web.

Weakened security of the entire browser right from the start is just a side effect.

Reply Score: 1

RE: Sandboxing is nice...
by MoreTea on Thu 2nd Dec 2010 00:46 UTC in reply to "Sandboxing is nice..."
MoreTea Member since:
2009-10-22

Google has no other option. There are no (widespread) alternatives yet for advanced video delivery, like YouTube, that offer features like DRM support and subtitles.

Reply Score: 5

RE[2]: Sandboxing is nice...
by Lunitik on Thu 2nd Dec 2010 01:18 UTC in reply to "RE: Sandboxing is nice..."
Lunitik Member since:
2005-08-07

Simply false, in fact, the very site you mention here can be used almost exclusively without Flash at all via http://www.youtube.com/html5

Reply Score: 1

RE[3]: Sandboxing is nice...
by nt_jerkface on Thu 2nd Dec 2010 01:58 UTC in reply to "RE[2]: Sandboxing is nice..."
nt_jerkface Member since:
2009-08-26

That's for general video that doesn't require DRM.

Have a look at what their video rental service uses:
http://www.youtube.com/store

Reply Score: 2

RE[4]: Sandboxing is nice...
by lemur2 on Thu 2nd Dec 2010 04:31 UTC in reply to "RE[3]: Sandboxing is nice..."
lemur2 Member since:
2007-02-17

That's for general video that doesn't require DRM.


Video doesn't require DRM. By far the most use of video on the web is for small ads and personal videos.

Have a look at what their video rental service uses: http://www.youtube.com/store


Ahhhhh ... you are on about something else entirely ... video rentals. You are saying that content providers say that they require DRM (certainly I can't see any content consumers saying they required DRM). Maybe so, but that is an entirely different thing to claiming that "video requires DRM".

Video rental is a tiny market indeed, a very small sub-division of "Internet video".

Solution: use a different, dedicated application to deliver DRM-encumbered on-demand video. Problem solved. Forget browsers, which are after all userland programs designed to render a wide range of material that is freely offered over the Internet for users to view. There should be no anti-user DRM requirement there.

Edited 2010-12-02 04:39 UTC

Reply Score: 5

RE[5]: Sandboxing is nice...
by Tuishimi on Thu 2nd Dec 2010 05:33 UTC in reply to "RE[4]: Sandboxing is nice..."
Tuishimi Member since:
2005-07-06

Video rental is a tiny market indeed, a very small sub-division of "Internet video".


I think that is a growing market and I know that now Netflix streams more video than it distributes DVDs - here in the States anyway.

Reply Score: 3

RE[6]: Sandboxing is nice...
by lemur2 on Thu 2nd Dec 2010 07:49 UTC in reply to "RE[5]: Sandboxing is nice..."
lemur2 Member since:
2007-02-17

"Video rental is a tiny market indeed, a very small sub-division of "Internet video".


I think that is a growing market and I know that now Netflix streams more video than it distributes DVDs - here in the States anyway.
"

Maybe so, but it still is small enough and distinct enough from the general nature of the web that it could easily be served by a separate application.

It certainly isn't a good enough reason to saddle every browser client with a requirement to support DRM. It serves the interests of only a teeny tiny percentage of people. It isn't the interests of people who run browsers and watch video that is being served by DRM ... in fact their rights are being "managed" (where "managed" is a euphamism for "restricted") on their own machines.

For every billion people:

Those whose interests are "managed" by DRM ~= 10^9
Those whose interests are served by DRM ~= 9.

Edited 2010-12-02 07:50 UTC

Reply Score: 5

RE[7]: Sandboxing is nice...
by Tuishimi on Thu 2nd Dec 2010 14:30 UTC in reply to "RE[6]: Sandboxing is nice..."
Tuishimi Member since:
2005-07-06

O.K. I see what you are saying... I misunderstood your angle.

Reply Score: 2

RE[7]: Sandboxing is nice...
by Lennie on Thu 2nd Dec 2010 17:24 UTC in reply to "RE[6]: Sandboxing is nice..."
Lennie Member since:
2007-09-22

I don't think Google would want to do this.

As one of their plans is Google Chrome OS and TV.

If people are creating seperate applications, instead of using general web technologies, then possible some things will not work on the Linux based Google Chrome OS or TV.

Reply Score: 2

RE[7]: Sandboxing is nice...
by lucas_maximus on Thu 2nd Dec 2010 17:44 UTC in reply to "RE[6]: Sandboxing is nice..."
lucas_maximus Member since:
2009-08-18

You obviously haven't Heard of the BBC iPlayer.

Shows after been shown on the BBC are usually available for 1 week or until the next show comes out (whichever is longer usually). Some stuff that is one off and not expected to sell well is available for sometime.

Pretty Big think in the UK ... and BBC will want to keep the DRM so that they can recoup the cash with Sales of BBC Series on DVD or Blu-ray. Which tbh is fair enough.

I don't expect that the BBC will be going to HTML5 ever.

The BBC does not show any commercials in the uk (not sure about other countries if they broadcast there) ... so it is impossible for them recoup their investment from advertising.

Edited 2010-12-02 17:44 UTC

Reply Score: 1

RE[5]: Sandboxing is nice...
by helf on Thu 2nd Dec 2010 15:11 UTC in reply to "RE[4]: Sandboxing is nice..."
helf Member since:
2005-07-06

I would not call video rental a tiny market. It's a fast growing market that is already fairly large and there was just a report out stating that just Netflix used up 20% of Americas bandwidth - http://www.zdnet.com/blog/networking/the-internet-belongs-to-netfli...

That is massive.

Course, flash really isn't necessary for Netflix, I don't think. I use a Roku box for my Netflix fix ;) I'm not sure what it is using to stream it.

Reply Score: 2

RE[5]: Sandboxing is nice...
by westlake on Thu 2nd Dec 2010 17:06 UTC in reply to "RE[4]: Sandboxing is nice..."
westlake Member since:
2010-01-07

Video rental is a tiny market indeed, a very small sub-division of "Internet video".


The Netflix stream is 21% of peak hour Internet download traffic in North America.

The Netflix client is built into your HDTV, video game console, Blu-Ray player, home theater receiver...

http://www.kansascity.com/2010/11/28/2478582/will-more-streaming-vi...

Reply Score: 2

RE[3]: Sandboxing is nice...
by Googol on Thu 2nd Dec 2010 11:15 UTC in reply to "RE[2]: Sandboxing is nice..."
Googol Member since:
2006-11-24

This has been discussed a million times over. Flash, and the display of flash video entails heaps of things more than the simple display of a video file and html5 is NOT a replacement for Flash -- which is not the same as claiming that it cannot display videos.

Stop the nagging, there is no alternative to Flash. Again, that is not the same as saying there is no alternative to watching videos.

Reply Score: 4

RE[4]: Sandboxing is nice...
by lemur2 on Thu 2nd Dec 2010 12:15 UTC in reply to "RE[3]: Sandboxing is nice..."
lemur2 Member since:
2007-02-17

This has been discussed a million times over. Flash, and the display of flash video entails heaps of things more than the simple display of a video file and html5 is NOT a replacement for Flash -- which is not the same as claiming that it cannot display videos.

Stop the nagging, there is no alternative to Flash. Again, that is not the same as saying there is no alternative to watching videos.


HTML5 is not a replacement for Flash.

HTML5 is not the entirity of web satndards, either. Web standards include HTML5, and also CSS3, SVG, ECMAscript, DOM and a range of others:
http://en.wikipedia.org/wiki/World_Wide_Web_Consortium#Standards

Those combined, working together, as they are meant to, are an alternative to Flash. Actually, they are a significant superset.

There are also emerging protocols, not yet standards, that go beyond even these:

http://en.wikipedia.org/wiki/Canvas_element
http://en.wikipedia.org/wiki/WebGL
http://en.wikipedia.org/wiki/Web_Open_Font_Format
http://en.wikipedia.org/wiki/Web_Workers

Flash can't compete with all of this.

Reply Score: 2

RE[2]: Sandboxing is nice...
by kaiwai on Thu 2nd Dec 2010 03:52 UTC in reply to "RE: Sandboxing is nice..."
kaiwai Member since:
2005-07-06

Google has no other option. There are no (widespread) alternatives yet for advanced video delivery, like YouTube, that offer features like DRM support and subtitles.


True but there is no reason for it to be all one way or all the other - use Flash and HTML5 in the respective scenarios where it makes sense. I loath Flash but the best one can do is limit its use to where it makes sense instead of abusing it like so many web developers seem to be hell bent on doing.

Reply Score: 5

RE[2]: Sandboxing is nice...
by UltraZelda64 on Thu 2nd Dec 2010 07:05 UTC in reply to "RE: Sandboxing is nice..."
UltraZelda64 Member since:
2006-12-05

Google has no other option. There are no (widespread) alternatives yet for advanced video delivery, like YouTube, that offer features like DRM support and subtitles.

There are only a handful of sites I am forced to use Flash on--YouTube and a few porn sites (the video sections mostly). And if I played online games regularly (I don't), those too. The rest almost all run fine without it. No one else includes Flash by default, so Google certainly did have a choice--they apparently just figured they'd get a larger number of Chrome users by including it with the browser. How, I don't know--Flash already seems to be preinstalled on almost every computer. In reality, it doesn't seem like it gains them much.

Reply Score: 3

RE[3]: Sandboxing is nice...
by Lennie on Thu 2nd Dec 2010 17:28 UTC in reply to "RE[2]: Sandboxing is nice..."
Lennie Member since:
2007-09-22

I think they wanted to do the process seperation for Flash, this maybe required a special build of flash. So it is better to just include it.

Reply Score: 2

RE: Sandboxing is nice...
by google_ninja on Thu 2nd Dec 2010 01:03 UTC in reply to "Sandboxing is nice..."
google_ninja Member since:
2006-02-05

Its less about politics and more about making a great browser.

Reply Score: 4

RE: Sandboxing is nice...
by nt_jerkface on Thu 2nd Dec 2010 03:06 UTC in reply to "Sandboxing is nice..."
nt_jerkface Member since:
2009-08-26

Google didn't exactly make a good example when they decided to include Flash with Chrome by default. Nice way to strengthen Adobe's already ridiculous reach on the Web.


The underlying motivation is Chrome OS. They want to throw everything into the browser and don't care if it means ensuring the Flash install base stays high.

They had a chance to displace Flash through YouTube but didn't act on it.

But the good news is that Flash at least has competition now.

Reply Score: 2

RE[2]: Sandboxing is nice...
by Kroc on Thu 2nd Dec 2010 10:04 UTC in reply to "RE: Sandboxing is nice..."
Kroc Member since:
2005-11-10

Just because Flash is bundled, doesn’t mean you have to ever use it. That is a concious decision made by developers. Bundling Flash is for security reasons only. Adobe cannot be trusted to keep users secure. Their update mechanism is awful and their Flash download website tries to foister crapware on users.

Google didn’t invest $120M in On2 for nothing. HTML5 video simply isn’t nearly ready enough to wholesale replace Flash. It will when it is good and ready and Google are working on it.

Reply Score: 1

RE[3]: Sandboxing is nice...
by UltraZelda64 on Thu 2nd Dec 2010 14:12 UTC in reply to "RE[2]: Sandboxing is nice..."
UltraZelda64 Member since:
2006-12-05

Just because Flash is bundled, doesn’t mean you have to ever use it.

It still advertises to every site that it is installed, adding a +1 to the count of visitors who have Flash--whether you ever really want to use it or not. Who says they want to help Adobe out in this way, inflating their already-high numbers?

Bundling Flash is for security reasons only. Adobe cannot be trusted to keep users secure. Their update mechanism is awful and their Flash download website tries to foister crapware on users.

Did I just read that right? That Google is trying to "keep users secure" by preinstalling one of the most insecure plugins on the face of the planet? If anything, it should be *left out* for security reasons. And strictly recommended *against* installing for safety.

Edited 2010-12-02 14:13 UTC

Reply Score: 3

RE[4]: Sandboxing is nice...
by Lennie on Thu 2nd Dec 2010 17:30 UTC in reply to "RE[3]: Sandboxing is nice..."
Lennie Member since:
2007-09-22

They are bundling it, so that Chrome updates also update Flash and they are now adding Sandboxing/process seperation.

I think that is an improvement over using the one that is already installed.

Reply Score: 4

RE[3]: Sandboxing is nice...
by nt_jerkface on Thu 2nd Dec 2010 15:24 UTC in reply to "RE[2]: Sandboxing is nice..."
nt_jerkface Member since:
2009-08-26

Just because Flash is bundled, doesn’t mean you have to ever use it. That is a concious decision made by developers. Bundling Flash is for security reasons only.


They could sandbox it without bundling it.

As UZ64 already pointed it out this isn't about choosing to use it, the problem is that it boosts the Flash install base even if the user doesn't need it.

If Google was actually concerned with user security then they would have removed Flash from YouTube after purchasing it. They go well beyond just using it for videos, have a look at the giant Flash ad that they have on the home page:
http://www.youtube.com/

And don't tell me about Adobe and security. I'm the one who pointed out that a recent buffer overrun of theirs involved the textbook example of strcat(). You cannot read a book about buffer overruns without reading about strcat() and strcpy().

Google is not concerned with security. They after all got hacked by using IE6 internally. That is completely inexcusable given the nature of their business.

Reply Score: 3

I might this in IE & Opera.
by ramasubbu_sk on Thu 2nd Dec 2010 01:31 UTC
ramasubbu_sk
Member since:
2007-04-05

I'm a Opera & IE9 user, If sandboxing is really good then I want this features in IE & Opera too ;)

Edited 2010-12-02 01:32 UTC

Reply Score: 1

What about other plugins?
by robojerk on Thu 2nd Dec 2010 02:31 UTC
robojerk
Member since:
2006-01-10

That's good and all, but what about other plugins?

Reply Score: 2

Comment by Luminair
by Luminair on Thu 2nd Dec 2010 04:53 UTC
Luminair
Member since:
2007-03-30

I object to calling Windows XP archaic

Reply Score: 2

RE: Comment by Luminair
by Tuishimi on Thu 2nd Dec 2010 05:31 UTC in reply to "Comment by Luminair"
Tuishimi Member since:
2005-07-06

You mean...

"I objecteth to thine callingst Windows XP archaic!"

LOL! Just kidding. ;)

Reply Score: 8

v RE[2]: Comment by Luminair
by ndrw on Thu 2nd Dec 2010 06:08 UTC in reply to "RE: Comment by Luminair"
RE[3]: Comment by Luminair
by nt_jerkface on Thu 2nd Dec 2010 07:25 UTC in reply to "RE[2]: Comment by Luminair"
nt_jerkface Member since:
2009-08-26

Feature-wise it still compares well against most alternatives.


It's fine when it comes to running programs but security....bleh.

Reply Score: 2

RE[4]: Comment by Luminair
by Kroc on Thu 2nd Dec 2010 07:43 UTC in reply to "RE[3]: Comment by Luminair"
Kroc Member since:
2005-11-10

Yeah, because Windows 7 is so much better: http://www.osnews.com/story/21653/Microsoft_Won_t_Fix_Windows_7_s_U...

90% of exploits are using Flash and PDF. Google know this. Google knows that Adobe completely suck and can’t get their act together so Google have to protect users from Adobe.

They’ve bundled Flash into Chrome so that it can be updated every 24 hours instead of 30 days. They’ve now sandboxed Flash, and they’re building in a PDF viewer into Chrome so people don’t have to download that abomination that is Acrobat.

Google are doing more for the average user’s security here than Microsoft, Adobe and Anti-virus vendors combined. If most exploits are coming through the web browser, and the web browser is locked down enough, then it won’t matter to the majority what OS they are using, even if it’s old and "insecure".

Reply Score: 2

RE[5]: Comment by Luminair
by vodoomoth on Thu 2nd Dec 2010 12:14 UTC in reply to "RE[4]: Comment by Luminair"
vodoomoth Member since:
2010-03-30

They’ve bundled Flash into Chrome so that it can be updated every 24 hours instead of 30 days.

I don't see how this might happen... are Google devs going to fix Flash code?

Reply Score: 2

RE[6]: Comment by Luminair
by lemur2 on Thu 2nd Dec 2010 12:23 UTC in reply to "RE[5]: Comment by Luminair"
lemur2 Member since:
2007-02-17

"They’ve bundled Flash into Chrome so that it can be updated every 24 hours instead of 30 days.

I don't see how this might happen... are Google devs going to fix Flash code?
"

Flash is a protocol. Google's implementation of it is not Adobe's code, it is Google's code. Different code, same protocol.

Here is yet another emerging implementation of the same protocol:
http://www.phoronix.com/scan.php?page=news_item&px=ODgzNQ

Lightspark is also not Adobe's code, nor is it Google's code. Different code.

So no, Google devs will not fix Adobe's Flash, Google devs will work on the embedded Flash handler which is part of Chrome. Different thing entirely.

Edited 2010-12-02 12:24 UTC

Reply Score: 1

RE[7]: Comment by Luminair
by RichterKuato on Thu 2nd Dec 2010 13:54 UTC in reply to "RE[6]: Comment by Luminair"
RichterKuato Member since:
2010-05-14

That's inaccurate Google Chrome doesn't use it's own implementation of Flash. Google actually is fixing Adobe's code.

I believe Adobe allows all of their Open Screen Project partners access to their Flash Player code.

Reply Score: 2

RE[7]: Comment by Luminair
by vodoomoth on Thu 2nd Dec 2010 15:19 UTC in reply to "RE[6]: Comment by Luminair"
vodoomoth Member since:
2010-03-30

OK. My interpretation of the article as written was that there was some kind of partnership between Adobe and Google while in fact, this is not different from Chrome implementing CSS or JS: it's just an implementation of a specification.

EDIT: well Kroc's answer below is even hinting at the interpretation I had.

Edited 2010-12-02 15:21 UTC

Reply Score: 2

RE[6]: Comment by Luminair
by Kroc on Thu 2nd Dec 2010 15:15 UTC in reply to "RE[5]: Comment by Luminair"
Kroc Member since:
2005-11-10

No, but when there is a fix from Adobe, Google can push the update out to users within 24 hours, rather tan users having to wait 30 days for the Flash update prompt, which they then immediately dismiss.

Reply Score: 2

RE[5]: Comment by Luminair
by nt_jerkface on Thu 2nd Dec 2010 16:01 UTC in reply to "RE[4]: Comment by Luminair"
nt_jerkface Member since:
2009-08-26



Yea it is, here is a better link:
http://www.conceivablytech.com/3473/science-research/botnets-hit-wi...

ASLR, UAC and having a basic scanner installed by default makes life much harder for malware writers. That's a fact.


Google are doing more for the average user’s security here than Microsoft, Adobe and Anti-virus vendors combined.

That's funny. What do you think has kept the Flash install base so high? Crappy Flash ads? Before Hulu got popular everyone was installing Flash exclusively for YouTube. Apple is the only company that has drawn a line with Flash, albeit for disingenuous reasons. Google is concerned with getting as many eyeballs as possible to see their ads, not security. There are small companies on thin budgets that tell IE6 users to F the hell off. What does billions in the bank Google do with them? Pussyfoots around and only shows Chrome ads to them on YouTube.


If most exploits are coming through the web browser, and the web browser is locked down enough, then it won’t matter to the majority what OS they are using, even if it’s old and "insecure".

Windows7/Vista provide an additional line of defense. That recent Firefox drive-by attack at the Nobel website was only looking for XP users since the attack would trigger UAC in Windows7/Vista.

XP is an unneeded security risk. Its use should be absolutely discouraged.

Reply Score: 4

RE[6]: Comment by Luminair
by Lennie on Thu 2nd Dec 2010 17:57 UTC in reply to "RE[5]: Comment by Luminair"
Lennie Member since:
2007-09-22

As a non-windows user and webdeveloper, I just want Windows XP (and old IE-versions) to go away.

Windows XP is the last barrier which prevents us from using SSL/TLS (https) easily everywhere. This is because IE and Safari on Windows XP use the windows library for talking to https-websites/-servers and it does not support name-based virtual hosting for https-websites.

So a server has to be configured with extra IP-addresses, etc.

Reply Score: 5

RE[7]: Comment by Luminair
by Luminair on Fri 3rd Dec 2010 11:46 UTC in reply to "RE[6]: Comment by Luminair"
Luminair Member since:
2007-03-30

it works fine if people are using firefox or chrome though, right? they should be using these with windows 7 too, so I don't blame ie shit bleed on xp, I blame it on ie

Reply Score: 2

RE[6]: Comment by Luminair
by Kroc on Thu 2nd Dec 2010 20:19 UTC in reply to "RE[5]: Comment by Luminair"
Kroc Member since:
2005-11-10

“trigger UAC…”

Allow.

Reply Score: 2

RE[7]: Comment by Luminair
by nt_jerkface on Fri 3rd Dec 2010 00:56 UTC in reply to "RE[6]: Comment by Luminair"
nt_jerkface Member since:
2009-08-26

Sure but it makes it a lot harder to hide a drive-by attack when it flags UAC. That Nobel website attack was looking at user agent strings to avoid 7 and Vista users.

Reply Score: 2

RE[6]: Comment by Luminair
by Luminair on Fri 3rd Dec 2010 11:45 UTC in reply to "RE[5]: Comment by Luminair"
Luminair Member since:
2007-03-30

new users should be encouraged to use windows 7, this is true

but if they happen to use any sort of antivirus-firewall-HIPS sort of software, and keep everything up to date, xp is A-OKAY

Reply Score: 2

RE[3]: Comment by Luminair
by Luminair on Fri 3rd Dec 2010 11:42 UTC in reply to "RE[2]: Comment by Luminair"
Luminair Member since:
2007-03-30

people do some strange thumb modding let me tell you

Reply Score: 3

RE[4]: Comment by Luminair
by ndrw on Sat 4th Dec 2010 01:18 UTC in reply to "RE[3]: Comment by Luminair"
ndrw Member since:
2009-06-30

How about having more than just one mod counter, then? Eg., one for the "agree/disagree", one for presentation, one for information content, humor etc.

The way it is now (everything mixed together), it is more a popularity contest than anything else. Even I can produce a comment that will earn +5 or more but it is simply no fun to write something obvious that everyone agrees with.

Reply Score: 1

RE[5]: Comment by Luminair
by Luminair on Sat 4th Dec 2010 03:41 UTC in reply to "RE[4]: Comment by Luminair"
Luminair Member since:
2007-03-30

it's not a simple problem to solve, that is for sure

Reply Score: 2

Sandboxing plugins on Linux
by _xmv on Thu 2nd Dec 2010 11:19 UTC
_xmv
Member since:
2008-12-09

I've been sandboxing plugins on Linux (not just Flash. Mind you, java & friends aren't more secure.) since years.

It's simple, in the past you were using a plugin wrapper, now you can use the integrated plugin wrappers.

They all start a separate process for the plugin.

That process is isolated with your favorite mandatory access control system, be it SELinux, RSBAC, TOMOYO, AppArmor or what not.

It's also most likely a lot more secure than the way Chrome does it, since a bug in Chrome can only affect the initial sandbox startup here.

I actually think that all these sandboxes should be replaced by generic security (SELinux, RSBAC, ..) and work should be make to make them seemless or part of a dev API (eg if it's supported the rules are auto setup by the program/package)

Reply Score: 4

RE: Sandboxing plugins on Linux
by vodoomoth on Thu 2nd Dec 2010 12:13 UTC in reply to "Sandboxing plugins on Linux"
vodoomoth Member since:
2010-03-30

I actually think that all these sandboxes should be replaced by generic security (SELinux, RSBAC, ..) and work should be make to make them seemless or part of a dev API (eg if it's supported the rules are auto setup by the program/package)

With the diversity of access control systems available, do you envision an API emerging?

Reply Score: 2

RE: Sandboxing plugins on Linux
by RichterKuato on Thu 2nd Dec 2010 14:01 UTC in reply to "Sandboxing plugins on Linux"
RichterKuato Member since:
2010-05-14

It's not that kind of sandboxing. They aren't just putting Flash into it's own process here. They are sandboxing the instances of Flash into separate processes. So in theory if one Flash object crashes the other instances is still remain.

This is what they wanted to do when they from the start (when they first showed off sandboxing) but couldn't. Partly because they didn't have access to Adobe's code before.

Reply Score: 1

Comment by jabbotts
by jabbotts on Thu 2nd Dec 2010 12:51 UTC
jabbotts
Member since:
2007-09-06

"After pioneering sandboxing of Javascript and tabs in the browser, Chrome is now finally busy moving Flash into a sandbox."

I thought opera and firefox tabbed browsing predated Chromium.

Reply Score: 4

RE: Comment by jabbotts
by kittynipples on Thu 2nd Dec 2010 14:16 UTC in reply to "Comment by jabbotts"
kittynipples Member since:
2006-08-02

Every tab in chrome runs in its own process. This is why one tab can't cause the entire browser to crash.

Reply Score: 1

RE[2]: Comment by jabbotts
by helf on Thu 2nd Dec 2010 15:04 UTC in reply to "RE: Comment by jabbotts"
helf Member since:
2005-07-06

except it can. I've had chrome flake out on a tab plenty of times taking the entire app down with it. It also makes it use up an extraordinary amount of ram.

Reply Score: 2

RE[2]: Comment by jabbotts - tabs
by jabbotts on Thu 2nd Dec 2010 18:20 UTC in reply to "RE: Comment by jabbotts"
jabbotts Member since:
2007-09-06

That would make sense. Chrome was the first to separate each tab into a separate system process. (ugly as sin in the task manager but if it works ...)

My initial reading suggested only the tabbed browsing not each tab as a process.

Reply Score: 2

RE[2]: Comment by jabbotts
by vivainio on Thu 2nd Dec 2010 19:12 UTC in reply to "RE: Comment by jabbotts"
vivainio Member since:
2008-12-26

Every tab in chrome runs in its own process. This is why one tab can't cause the entire browser to crash.


Ironically, Chrome these days causes my entire *computer* to crash hard (10 secs without mouse movement, then shutdown). Ubuntu 10.04, nvidia. PPA snapshots haven't fixed the issue.

That's why I switched to running firefox 4 betas. Possibly as fast & responsive as chrome, but without sandboxing - and without hard computer crashes.

Reply Score: 2

RE[3]: Comment by jabbotts
by Dave_K on Thu 2nd Dec 2010 19:31 UTC in reply to "RE[2]: Comment by jabbotts"
Dave_K Member since:
2005-11-16

Ironically, Chrome these days causes my entire *computer* to crash hard (10 secs without mouse movement, then shutdown). Ubuntu 10.04, nvidia. PPA snapshots haven't fixed the issue.


I've had a similar experience with Chrome on Windows. The system was so unresponsive it hadn't even displayed the task manager after 25 minutes of waiting. Not quite a full OS crash, but there's little practical difference when the system's rendered unusable without a restart. Definitely puts me off using the browser.

That's why I switched to running firefox 4 betas. Possibly as fast & responsive as chrome,


Seriously? On Windows I find the latest FF4 beta so sluggish that it sometimes gives me flashbacks to browsing with Netscape 2 on a 386. After I've been using it for a while I can often count to 3 after clicking a tab before it displays.

Reply Score: 1

RE[4]: Comment by jabbotts
by lemur2 on Thu 2nd Dec 2010 22:06 UTC in reply to "RE[3]: Comment by jabbotts"
lemur2 Member since:
2007-02-17

Seriously? On Windows I find the latest FF4 beta so sluggish that it sometimes gives me flashbacks to browsing with Netscape 2 on a 386. After I've been using it for a while I can often count to 3 after clicking a tab before it displays.


Seriously?

Firefox 4 beta 7 is the fastest and most feature-full browser of all on most systems. You must be doing it wrong, somehow.

Reply Score: 2

RE[5]: Comment by jabbotts
by Dave_K on Fri 3rd Dec 2010 01:36 UTC in reply to "RE[4]: Comment by jabbotts"
Dave_K Member since:
2005-11-16

Firefox 4 beta 7 is the fastest and most feature-full browser of all on most systems. You must be doing it wrong, somehow.


It's hardly a "feature-full" browser compared with Opera... Maybe after a dozen different extensions have been installed to add a sidebar, mouse gestures, tab tiling, etc.

I'm open to the possibility that something has gone wrong with my clean install of FF4b7, but Opera and Chrome run just fine on the same PC.

Reply Score: 3

RE[3]: Comment by jabbotts
by zlynx on Thu 2nd Dec 2010 19:33 UTC in reply to "RE[2]: Comment by jabbotts"
zlynx Member since:
2005-07-20

Your whole system crashes? Wow.

Not using Chrome may solve your problem, but you've still got a problem in there, somewhere.

It could be the hardware. Chrome might be revealing a defective RAM stick or there's a bug in the video drivers or the kernel.

If a web browser can crash your entire system, it really isn't the browser's fault.

Just sayin.

Reply Score: 2

RE[4]: Comment by jabbotts
by vivainio on Thu 2nd Dec 2010 19:59 UTC in reply to "RE[3]: Comment by jabbotts"
vivainio Member since:
2008-12-26


Not using Chrome may solve your problem, but you've still got a problem in there, somewhere.

It could be the hardware. Chrome might be revealing a defective RAM stick or there's a bug in the video drivers or the kernel.


I know. Yet, I run pretty hard core stuff on it (windows xp on vmware) and yet chrome is the only thing that crashes it. And it does this pretty systematically.

It may be ram, bad computer model (Dell Precision M2400) or something, but not using Chrome is easier than getting the hardware debugged.

Reply Score: 2

jabbotts Member since:
2007-09-06

"If a web browser can crash your entire system, it really isn't the browser's fault. " ... unless it's IE.

(I couldn't resist.. )

Reply Score: 2

RE[2]: Comment by jabbotts
by Erunno on Sat 4th Dec 2010 14:46 UTC in reply to "RE: Comment by jabbotts"
Erunno Member since:
2007-06-22

Every tab in chrome runs in its own process. This is why one tab can't cause the entire browser to crash.


This myth needs to die.

1. Child tabs pointing to the same domain as the parent will reuse its parent tab's process. If one tab crashes, it takes the whole family with it.

2. Chrome has right now an upper limit on how many content processes it will spawn (around 35-40 last I checked). After that it will start distributing new domains to existing content processes.

3. I've had dead tabs crash the whole of Chrome since a couple of versions on two different operating systems. Symptoms: A tab is apparently loading but you can't switch to it. If you close the tab, Chrome goes the way of the dodo.

Edited 2010-12-04 14:48 UTC

Reply Score: 3

yay sandboxing! maybe
by helf on Thu 2nd Dec 2010 15:03 UTC
helf
Member since:
2005-07-06

I haven't tested it, but I wonder if it handles it better than firefox. I noticed the other day that when I'm playing a flash game (you can pry my tower defense games from my cold dead fingers) in a tab and I decide to tear the tab off into its own window, it reloads the flash file in the new tab. REEAAALLLY annoying when I'm on level 15 and about to take on the boss ;P

Reply Score: 2

RE: yay sandboxing! maybe
by nt_jerkface on Thu 2nd Dec 2010 16:07 UTC in reply to "yay sandboxing! maybe"
nt_jerkface Member since:
2009-08-26

I really don't see how anyone can play Flash games without wanting to chuck the computer across the room. Blinky ads, kludgey controls, ugh.

But on a positive note you should check out the South Park tower defense game on Xbox live. It's one of the best I have ever played.

Reply Score: 2

RE[2]: yay sandboxing! maybe
by zlynx on Thu 2nd Dec 2010 19:36 UTC in reply to "RE: yay sandboxing! maybe"
zlynx Member since:
2005-07-20

I never understood how anyone can play tower defense games with those crap console controllers.

I can place six items with my G9X mouse before I can get just one into place with those analog sticks.

Hand and fingertip movement is always going to be more precise than thumb angle.

Reply Score: 2

RE[3]: yay sandboxing! maybe
by nt_jerkface on Sun 5th Dec 2010 02:43 UTC in reply to "RE[2]: yay sandboxing! maybe"
nt_jerkface Member since:
2009-08-26

Ah pc gaming elitism, my friend is still going through that stage.

Maybe you should try the game before trashing it. It isn't a point-n-click game converted to the console. It's designed around the controller and far more challenging than any of the recent pc tower defense games.

Edited 2010-12-05 02:44 UTC

Reply Score: 2

What about accessibility?
by spiderman on Thu 2nd Dec 2010 16:24 UTC
spiderman
Member since:
2008-10-23

It's nice that they care about security but when are they going to fix accessibility? That's the biggest problem with flash right now in my opinion. Webkit has a lot of accessibility issues as well BTW. They don't seem to care about it.

Reply Score: 2

Sanboxing in MSE
by fran on Thu 2nd Dec 2010 18:19 UTC
fran
Member since:
2010-08-06

I would really like Sandboxing to become a feature of MSE or maybe even windows itself.
Windows can be secure as hell but for other software we install on it.

Let's just hope Microsoft don’t get sued if MSE gets to many bells and whistles:-(

Kaspersky Internet Security for example (And maybe other AV companies as well) list all your application, from where you can sandbox them or give them varying amounts of networking privileges.

Kaspersky also do a vulnerability scan and compile a list of applications that is unpatched or insecure.

With MSE you can use Secunia's free home edition to do this job, but it would have been nice in MSE as well.

Edited 2010-12-02 18:22 UTC

Reply Score: 1

RE: Sanboxing in MSE
by fran on Fri 3rd Dec 2010 11:02 UTC in reply to "Sanboxing in MSE"
fran Member since:
2010-08-06

Update
After my post I searched if Sandboxing is a Windows feature.
Microsoft 7 Ultimate have an Sandboxing application in the form of "AppLocker"


http://www.microsoft.com/windows/enterprise/products/windows-7/feat...

I dont know if this extend to Browser plugins?

Reply Score: 1

Just relax
by rain on Sun 5th Dec 2010 00:46 UTC
rain
Member since:
2005-07-09

Flash will go away eventually. Google knows it and even Adobe knows it. But it will take time and Flash is still something that almost everyone will install either way, so why not try to make it as secure as possible?

I'm with Google on this one as I don't think not including flash with Chrome would make any difference. And if they banned flash completely then no one would use the browser, because it's just a browser, not a shiny cool iDevice.

Adobe has been preparing for flash to lose foothold for quite some time now. In fact with CS5 they have shown that they have serious intentions on becoming the leading HTML5 authoring tool developer.
That's where they make the money anyway.

Reply Score: 1