Comment by ar0
10 years ago
In fact, sandboxing the browser in a VM (which I think the author suggests, although he wants to go a more light-weight approach) with only limited file system access is what is done by many security-conscious enterprises such as banking. They usually embed Firefox in a Linux VM.
There is "Browser in the Box": http://www.sirrix.com/content/pages/BitBox_en.htm
And then there was also VMWare's Secure Browser Appliance (in 2005! although I cannot find any recent mentions of it): https://rcpmag.com/articles/2005/12/13/vmwares-secure-browse...
Taking this to a new level by implementing a sandbox tailor-made for this purpose might be a worthwhile approach. However, for it to be effective you will always need to inconvenience your users: As soon as the browser running in the sandbox has access to the full filesystem, you are back to where you started. And if the browser does not have full access to the filesystem (but e.g. only to a specific "Downloads" folder as in the current sandboxes) you inconvenience your users: E.g. for uploading files, you first need to copy them to the Downloads folder.
> E.g. for uploading files, you first need to copy them to the Downloads folder.
No, you need a "portal" or "intent" or "capability" whatever you want to call it. Browser asks sandbox to ask user to select a file, and browser gets that file. Android has been able to do this for a while, but full sdcard access is so easy that everyone uses it instead. Flatpak nee xdg-app will do this.
This capability system is exactly how OS X's built-in sandbox works. Sandboxed apps don't have unrestricted access to the filesystem, but if they invoke the system-provided Open dialog, and the user selects a file, the application is granted access to that file (which it can persist, so it can continue to access that file in the future).