I heard around the internet that Firefox on Android does not have Site Isolation built-in yet. After a little bit of research, I learned that Site Isolation on Android was added in Firefox Nightly, appearing to have been added sometime in June 2023. What I can’t find, though, is whether this has ever been added to any stable versions of Firefox yet. Does anyone know anything about this?

Update: After further research, it appears that Site Isolation is not currently a feature in stable version of Firefox on Android. I don’t know with certainty if their information is up-to-date, but GrapheneOS (A well-known privacy/security-focused fork of Android) does not recommend using Firefox-based browsers on Android due to it’s (apparently) lack of a Site Isolation feature. A snippet of what Graphene currently have to say about Firefox on Android/GrapheneOS from their usage guide page, is: “Avoid Gecko-based browsers like Firefox as they’re currently much more vulnerable to exploitation and inherently add a huge amount of attack surface.”

On a side-note, they also say about Firefox’s current Site Isolation on desktop being weaker, which I wasn’t aware of. “Even in the desktop version, Firefox’s sandbox is still substantially weaker (especially on Linux) and lacks full support for isolating sites from each other rather than only containing content as a whole.”

  • sunzu@kbin.run
    link
    fedilink
    arrow-up
    0
    ·
    5 months ago

    Seems like pretty big risk… Wtf how is this still a thing?

    Kinda makes hard to keep telling people to switch

    • TrickDacy@lemmy.world
      link
      fedilink
      arrow-up
      0
      ·
      5 months ago

      What they said isn’t exactly true. The actual concerns are far more narrow than the way they worded it

      • sunzu@kbin.run
        link
        fedilink
        arrow-up
        0
        ·
        5 months ago

        it would be nice if you would narrow it down for everybody while we are here?

        • TrickDacy@lemmy.world
          link
          fedilink
          arrow-up
          0
          ·
          5 months ago

          Well I’m not an expert and I don’t feel like digging up all the specifics but the concerns generally are cookies. The person who replied here made it sound like Mozilla is letting websites steal your credit card number from open tabs or something

          • sunzu@kbin.run
            link
            fedilink
            arrow-up
            0
            ·
            5 months ago

            alright i see, that does make more sense but they can still ID with you a cookie on all your concurrent sessions?

            i guess this aint a security risk per see but wtf… why they even need cross site cookies if they can do this.

              • sunzu@kbin.run
                link
                fedilink
                arrow-up
                0
                ·
                5 months ago

                i see, i thought they are turn off now by default? or at least there is a setting to block hem.

                • TrickDacy@lemmy.world
                  link
                  fedilink
                  arrow-up
                  0
                  ·
                  5 months ago

                  On FF on my android phone, I just checked and “strict” privacy mode is not on so I guess by default cross site cookies may be enabled. Thanks for asking these questions – I’m setting that to Strict now.

                  • sunzu@kbin.run
                    link
                    fedilink
                    arrow-up
                    0
                    ·
                    5 months ago

                    You did all the work…

                    I do keep mine on strict tho

                    I don’t see why it is not set by default tbh prolly breaks some bullshot websites

                • TrickDacy@lemmy.world
                  link
                  fedilink
                  arrow-up
                  0
                  ·
                  edit-2
                  5 months ago

                  I’m not certain. The “strict” privacy setting in FF probably does block them. Not sure if it’s default or not.