david [b] rosen wrote: > Sandboxing the browser tabs themselves is a big improvement over > firefox/ie, but I feel that it isn't enough. Any files downloaded > should remain jailed in a sandbox specific to the domain of its > origin, until and unless the user explicitly moves any of them out of > the sandbox. I'm envisioning this being similar to one of the third- > party sandbox programs like Sandboxie, but instead of everything going > into one (or one of a few) explicitly-defined sandbox(es), a separate > sandbox should be created automatically for each domain as needed. > > Of course we need a way to open such documents within the sandbox, > meaning that the application that opens it should be a separate > instance that is tainted to be able to write only within the sandbox. > I think some of the sandbox utilities do this, and Vista does > something similar by effectively separating domains by their > "integrity level," but it does not separate them by domain, so there's > nothing to stop malware from one site from modifying the data that you > send to another site of the same integrity level. > > I know this is getting more towards the operating system level, but > what do you think? > > david rosen I think it's a great idea, albeit in no way easy. The first step is already done. Files downloaded by Chromium (on ntfs partitions) have the "Zone.Identifier" alternate data stream, specifying a ZoneId of 3 (Internet), so high risk extensions (see KB 883260) will produce a windows prompt before opening. The next step would be adding a field with the source domain. Applications aware of it could check it to treat with a lower trust (eg. disabling macros). Creating a full sandboxing would be harder, and microsoft collaboration almost required (they will want to duplicate the same functionality, so better agree on the format before hand).
The sandboxing system could be used to launch the opening application with lower privileges, but that may not always give good results. As an example, many applications keep open just one instance and next time it is opened, the file passed to the open one. So suppose chromium launches a process with no write permission to open a downloaded file. It finds another process and the dangerous file is opened by a normal process. Less secure but acceptable. Sadly, the opposite can also happen. The main application is the unprivileged and the user opens another file, which then goes into the sandbox, and can't be saved. (Or even easier, you try to create a new document from the sandboxed application) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Chromium-discuss" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/chromium-discuss?hl=en -~----------~----~----~----~------~----~------~--~---
