This is a really powerful tool and I hope we see this used more. Traditional process based sandboxing is very efficient inside the process, but IPC is very expensive. This approach flips the tradeoffs exactly backwards as the sandboxed code is slower, but IPC is nearly free. This means that it can cover exactly the space that was too expensive to sandbox before. The two approaches are perfect compliments for each other. I now imagine that the vast majority of code can be put into one of these two groups leaving very little code that is unable to be sandboxed for performance reasons.
I was thinking this implementation looks very similar to eBPF, where the injected code is translated to safe and native instructions, which improves security and performance. I wonder if they got some inspiration from the verifier+jit approach in the linux kernel. this is very very good and cool imo.
has anyone successfully built from source this new v95 with the sandboxing?
I (and others) have had this issue where the compiler provided as part of the mozilla builds dependencies is unable to complete that task. there’s an open bugzilla ticket, I tried with different stuff but the build compiles only I exclude the new sandboxing, hence I can’t compile the same firefox released by mozilla. any guidance would be appreciated :-(
wtf is webassembly actually? i know i can google it but i really doubt people are writing Assembly for the web?
deleted by creator
That’s exactly what it is to my understanding. Instead of using a scripting language Javascript, you can compile your web program down to a wasm binary using any language you like.
