| IE8 does sometimes put multiple tabs in one process, but not all tabs are in the same process. I think Microsoft should move to one-process-per-tab too; The problem is that all these processes run in the same sandbox (at the integrity level "Low"), so they are not protected from each other. But, I'm not sure the rest of what Chrome does would be useful in IE Again, like IE, Chrome itself uses OS mechanisms for the sandboxing. In particular, one thing that's strange about NaCL is that plugin processes have stronger security than Chrome itself This differentiation seems reasonable because Chrome itself is considered trusted code, whereas these plugins aren't. I would still like to know, theoretically, what Chrome's design stops that cannot be stopped using IE8's design, modified to have one tab per process. Since IE has one sandbox for all processes, one compromised tab could affect other tabs. Not so in Chrome.
If IE switched to one process per tab and one sandbox per process, things would be more similar, but NACL in a Chrome sandbox would still be more secure than ActiveX in an IE
sandbox because of NACL's additional layer of security. A NACL plugin would need to exploit weaknesses in both NACL and the Chrome sandbox in order to do any damage. |