453721 - Open Window with own sandbox and own session cookies

Status: RESOLVED DUPLICATE of bug 117222

(Firefox :: Security, enhancement)

Description

[nathanc]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1

Bug 359751 is a more specific/single use example of what I am asking for, but my request is for a more general architecture change. I filed it under security because it relates more to security than general browser usage.

It seems to me that cross-site scripting (XSS), and cross-site request forgeries (XSRF) would be severely limited if this architecture change is implemented.

The change is this: 
Each new window launched from the file menu (including the associated shortcut key) or from a new command line launch would each have its own sandbox and its own set of session cookies. New tabs, and new windows launched from current pages (clicks) would share the sandbox and session cookies.

This architecture change is not trivial, it would affect the Session Restore module, and would have to be tested thoroughly with many different sites that use DOM Scripting.

Google Chrome has done this with every window and every tab. They seem to be assuming that DOM scripted web pages do not open different windows, or that users like myself don't open new windows or new tabs on the same site to do comparisons (think bank account details, vs. scheduled transfers details). However, maybe you can leverage some of their open-source code for most of the work done here.

Internet Explorer 7 has this feature, but only for new command line launches.

Reproducible: Always

Steps to Reproduce:
1.
2.
3.

Comment 1

[Jo Hermans]

If it's only session-cookies, it's a dupe of bug 117222. A real "sandbox" mode might need more drastic changes, up to a process per tab (which is what Chrome uses), which is bug 452272.