akc3n thanks but my question was a bit different: I am not talking about vanadium or google play i just wonder if ALL the app you install in Grapheneos are sandboxed or not.
Why this question on the nitrophone website (Nitrophone have Grapheneos as OS) they claim that ALL apps (Whatsapp, Signal, Telegram, etc) are sandboxes, but I could not find any trace of it in your user guide.
So I do wonder are all the app sandboxed or not?

https://www.nitrokey.com/news/2021/nitrophone-most-secure-android-planet
"All apps are sandboxed to protect against exploitable and malicious apps"

      a month later
      "You said that we could come to you if we had any questions..."

      .

      I want to get a proper understanding of site isolation so that I use it correctly and avoid "bad" practices. I've searched but didn't find specific enough answers.

      This has been asked in general ways several times before by others but they have gone unanswered or been misdirected (example) Which is why I'm asking anally explicit questions to avoid general talk and get to the bottom of this, hopefully.

      For reference, i have already read the following links carefully multiple times:

      https://grapheneos.org/usage#web-browsing
      https://www.chromium.org/Home/chromium-security/site-isolation/
      https://www.chromium.org/developers/design-documents/site-isolation/

      .

      I understand that there is two elements to site isolation;

      • standard site isolation policy as define by chromium which are "domain" based,

      • and process isolation, intended as a secondary layer for memory sandboxing.

        I specifically want to ask about the "standard" site isolation features, not the process isolation, since it seems the fundamental features are placed there.

      Based on my testing of vanadium and using a logged in instance of GOS Forum site i can see that there is essentially 2 partitions. The standard partition, and the "private browsing" partition. Visiting the gos forum "logged-in" in either of these partitions does not carry over to the other partition, it seems. It seems that I can have two separate instances of GOS forums this way.

      Question 1: can I actually trust that this is the case and these two instances are fully isolated from each other (for the same website)?

      Question 2: Is this bidirectional? Or can one see into the other but not the other way around? My testing seemed to suggest bidirectionality (neither sees into the other).

      .

      When I however tried to open the same site in the same partition but in a different tab (tried both in standard and private browsing modes) the site is not isolated between different tabs. Which suggests that tabs, even in private browsing, are not isolated from each other, at least for the same site. This seems to be in line with descriptions in the linked documentation regarding "sites being separated into own processes".

      Question 3: Am I correct about the above paragraph? Have I understood correctly?

      .

      But this still might not be indicative of multiple sites sharing the same partition.

      The real scenario that I (and likely others) want to protect from (and get an understanding of) is browsing from site to site, link to link, as you do, and staying private from those sites knowing which sites and pages i visited previously.

      This itself is split into two cases:

      • Case 1 - where I am logged into an account (google for example), and am travelling to other sites.
      • Case 2 - where I am not logged into anything and travelling from site to site.

      Question 4: due to the site isolation feature, is each site i visit separated into its own site container within a partition and not able to see any saved (or in memory) data from the other sites? Or are they able to see each others' cookies and other data?

      Question 5: would sites that have google analytics or other components (JS bundles) built into them be able to see the google account in case 1?

      Question 6: what about sites that don't have any google components built into them, will they be able to see the google account in case 1?

      Question 7: if sites are isolated within the same partition and are not able to see any data (cookies and other) from other sites then how do cross site cookies and cross site signalling work? Seems like an incompatible concept.

      Question 8: if sites within a partition can see each others' data (cookies, DOM storage, etc), if I open 10 different sites in 10 different tabs, (all remaining open, case 2) will the last site opened see the cookies set from first site? And will the first site see the cookies from the last site opened?

      Question 9: Does site isolation (containment) work exactly the same for standard browsing as compared to private browsing or does private browsing offer any extra isolation of any kind?

      Question 10: the additional site isolation added by GrapheneOS to Vanadium is of the "process" type and in the memory exploit protection realm, yes?

      .

      .

      Okay. And to redeem myself, I did NOT say it like him. So don't be pointin'.
      Context: https://www.youtube.com/watch?v=gWvnkuXkHaI
      More context: https://www.youtube.com/watch?v=EPQZkhC_QQs

        User2288 Once a web site sets a cookie, that cookie is normally available to that site in all tabs, but not across the regular/incognito boundary. That availability across tabs for the same site does not mean that the tabs are run by the same process, or that they aren't -- the issues are orthogonal. Whether or not cookies are shared across sites is a very complicated topic -- see, for example, Vanadium's settings about "third-party cookies".

        When you click from one site to another, the second site normally finds out about the first one via the Referer header.

        One of the key features of incognito mode is that cookies (etc.) are not saved. Sites are allowed to set cookies, because they demand that in order to work, but once you close all of your incognito tabs all of those cookies are gone forever. The same can be done manually for non-incognito tabs, e.g., Settings, Privacy and Security, Clear browsing data, Advanced, and/or Settings, Site settings, All sites.

          Yes "process" isolation is purely for the running process. Stored data is not containerized, that is why I think all this isolation stuff is so misleading.

          Firefox has containers and total cookie protection. You can open a new container and the locally stored cookies are seperated.

          This is a different field but both are important. All that "sandboxing" is for security, processes should not run code on another or the system.

          There is 3rd party cookie blocking, which means the site can save its cookie and know stuff about your interactions with that site. But a 3rd party like facebook can't place a cookie if you are on another site, and know you where here.

          Two different things here. Everything you "see" is cookies.

            missing-root Stored data is not containerized, that is why I think all this isolation stuff is so misleading.

            Vanadium does state partitioning which takes care of what you probably mean by "containerization" and is similar to FF's state partitioning (FPI, dFPI, TCP). But as you mentioned, this is a different topic than site isolation.

              User2288

              I could not make much sense of your questions in the context of site isolation. I assume that you actually mean state partitioning and not site isolation. See https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning for an introduction to that topic. Vanadium passes all state partitioning tests (except blob) on https://privacytests.org and blocks third-party cookies by default. You can test your browser config on https://privacytests.org/me.html . You can ignore the other sections on that website.

                How1 So Vanadium uses sandboxing to isolate websites?

                Vanadium sandboxes each site. Each renderer process runs in the isolatedProcess Selinux domain, which is a very restricted domain, even more than the normal app sandbox, with no permissions and only access to two binder services and uses fine-grained seccomp-filters to reduce attack surface. That's the environment which is supposed to be used for untrusted web content in the Android security model.