Filing an initial bug to track that we'll want to sandbox the socket process for macOS, Linux, and Windows (will eventually split those into separate bugs).
My understanding is that most of the things in the sandbox process will be moved from the parent process -- so we don't need a sandbox before we ship those (though of course it'd be a nice security win if we did).
However, I believe some of the things are being moved out of the sandboxed content process, is that right? For these we really should have a sandbox before they ship, else we're regressing.
Is all of that right? Assuming it is, where in the roadmap is moving things out of the content process? And is the socket process ready for our team to look into helping out with sandboxing it?