Mozilla Connect

Thanks for submitting an idea to the Mozilla Connect community! Your idea is now open to votes (aka kudos) and comments.

Reply to: igorlogius

Thank you for your comment. I disagree. As I understand it, a Linux-based software app created as a "flatpak package" is only designed to allow a Linux app to run so as to NOT be dependent on a particular Linux version, or have to rely on specific Linux OS "dependencies" or Libraries, thus allowing the Flatpak software to be more widely distributed and operate independently across many different Linux OS versions installed on the computers it is using. Given the wide differences of Linux versions, having a Linux-based app run independently of a Linux version has real advantages for software deployment, but a Linux flatpak software design is NOT a security method to protect a Linux OS from being hijacked by auto-executing malware accidentally triggered from nefarious websites and website links.  Instead, a self-sandboxed application (or a sandbox container application like Sandboxie), is a security container that allows an app to use the OS's libraries, OS dependencies and features safely, in an emulation mode, so that NO original OS libraries, or other OS components, or the boot sector can be altered or changed by misbehaving software originating from external sources - like a website and its malware-ambushing links.  A Sandbox container app, or a self-sandboxing app (what I hope will become a Firefox feature for MS Windows 10/11 and Mac OS) is doing several OS and software protection services, by 1) Running the software app in emulation mode, so that the app cannot be corrupted or hijacked by malware; (ANY changes that occur to the emulated web browser are erased when the software is closed); 2) Running through emulation any necessary Windows OS libraries and .dll files, OS services, and other OS features, so that they cannot be altered or affected, and 3) Forcing unintended auto-executing malware scripts to have NO ACCESS to attack, insert itself or alter the OS and Boot-up software; and they are automatically erased when the sandbox is cleared/shut down/ended. HC

---

@HC wrote:

I propose that a future version of Firefox have an optional feature that runs all Firefox code, cookies, file downloads and sensitive FF files in an emulation mode within a sandboxed environment. For many years I ran Firefox and other web browsers from inside a software container app called 'Sandboxie'. As a security environment, a sandbox app prevents any website or links from auto-executing malware scripts that can cause changes to the system software, or inserting malicious code into the root drive and boot-up files. The current version of Sandboxie Plus allows many different applications to run in its sandbox, but its current development is owned by an individual, not a software company. Can Firefox be improved to create it's own security sandbox when it is running?

---

As far as I knowyou are correct in that you cannot achieve what you are describing with Flatpak. However, KDE Plasma has permission options for individual Flatpak apps and the OS itself can implement some further hardening policies and depending on the distro, they do, if my understanding is correct.

While I do use KDE Plasma, I avoid Flatpaks whereever possible, so I haven't even tried these features myself. Which has more to do with me liking and preferring to deal with package management through DNF rather than the clumsy and annoying Flatpak-way of things.

So a sandboxing or website containerisation functionality would be huge, actually. I don't think there have to necessarily be a performance impact either.