The browser can still access your disk though, so any vulnerability in your browser means arbitrary access. An example from last year https://blog.mozilla.org/security/2015/08/06/firefox-exploit.... That's the reason that I decided to use firejail myself.
It's more a boundary for the browser not to pass because it has no business. I've seen an alternative approach which used a separate user account for Firefox and then SSH forwarding of X.
WebTorrent is something I'm afraid to try due to the laws in the place I live and nobody answered me when I asked if WebRTC p2p connections first show a permission popup like Microphone or Speaker access. I don't know how the file access APIs work in JavaScript, but it's scary to think a random website could have a random JS snippet that uploads a file from $HOME.
Could similar results be achieved with (x)wayland by spawning a separate X server for each application?
IIUC xwayland spawns an X server on demand, but just one (so X applications can spy on each-other while wayland apps
cannot, and X cannot spy on wayland apps).
Reminder that this breaks basic features like copy/paste, drag-and-drop, and a lot of applications that spawn helper applications and expect them to be on the same display.
There is a reason that the general Linux desktop camp is not adopting solutions like this and instead preferring Wayland, and that's that these systems can never be production ready and support the featureset that traditional X11 can support.
Also, I tested my keylogger [0] on this setup, and it still got through. Oops. They're proxying through XRecord and XTest it seems.
16 comments
[ 3.0 ms ] story [ 54.2 ms ] threadChrome have it pre-installed, just like microsoft had flash pre-installed. All perfect and dandy until the 0-days start to show up.
this is what i get if i try to start a hangout conference:
https://www.google.com/tools/dlpage/hangout?hl=en#hangouthtt...
There is a reason that the general Linux desktop camp is not adopting solutions like this and instead preferring Wayland, and that's that these systems can never be production ready and support the featureset that traditional X11 can support.
Also, I tested my keylogger [0] on this setup, and it still got through. Oops. They're proxying through XRecord and XTest it seems.
https://github.com/magcius/keylog