wiki.mozilla.org/Mobile/GeckoVi
> Self-Contained: Because GeckoView is a standalone library that you bundle with your application, you can be confident that the code you test is the code that will actually run.
Targeting a specific release of a browser engine is a serious anti-feature.
Conversation
The status quo is targeting a stable API without being able to depend on a specific version, since it receives automatic updates. Encouraging applications to bundle their own web rendering engine specifically so they can delay updating it is serious step backwards for security.
1
1
3
Not to mention to severe loss of security going from a well sandboxed rendering engine like the standard WebView to a browser engine with no sandbox implementation for the platform. The 3rd point on that list is simply dishonest, which is typical of how Mozilla presents Firefox.
Replying to
Their initial claim that "many advanced Web APIs are disabled" in the WebView is misleading. A few features requiring a user interface outside of the content like Web Payments are unavailable. It still has more standards coverage than Firefox and is successfully used by browsers.
1
The WebView API is a stable API provided by the platform. In order to support a feature like Web Payments, integration for it would need to be added at a new API level. For a list of what's missing, see chromium.googlesource.com/chromium/src/+ and judge for yourself if it matches their claims.
This Tweet was deleted by the Tweet author. Learn more
Replying to
There's a standard isolatedProcess sandbox which is the semantic layer of the Chromium sandbox. They could be using that, if they were inclined to truly care about security rather than just the perception of it. I do think they plan to use it but it's clearly not a high priority.
1
Show replies