Chrome on OS X - Browser security done right

Chrome, by default, makes use of the built in sandboxing functions of OS X. Take a look: -http://dev.chromium.org/developers/design-documents/sandbox/osx-sandboxing-design

Very impressive and leaps and bounds above any default install of any browser on any platform. Of course, the same can be accomplished in Linux, but nowhere near as elegantly. As far as I know, AppArmor and SELinux cannot be configured by a running application in order to restrict itself. The most impressive part of all this is how transparent this is to the user and how effective.

Some relevant code not mentioned in the article: -http://src.chromium.org/svn/trunk/src/chrome/common/sandbox_mac.mm

Only potential hole I can see is the utility process with the on the fly defined directory for read/write access. I spent a few minutes searching through the source and failed to find out how exactly this variable is defined in code. No reason why it cannot be handled securely, though.

 

And why is this important? How come browser usage is always focused into singularity = security. How about being able to render pages properly or provide a simple and useful interface? How about language support, codecs, accessibility for visually impaired and such?

All browsers have security done right, more or less. The only important difference is whoever sits in front of it and hammers the keyboard. Nothing software can beat human stupidity. And if you're smart enough to know Chrome or whatever exists, apart from OS default, then you're already 10 light years ahead.

Mrk