Firefox Built-In PDF Viewer
- "The real question is why the he$! is Firefox not sandboxed?"
- "I don't even want my browser to have a 'local file context', is there a way to switch such behavior off entirely until explicit permission is given?"
- "Run the browser in a container or in a sandboxed environment"
- "Time to start running everything in it's own container"
As usual the, Hacker News crowd has some creative ideas here. On my last read of the thread I saw 20+ references to sandbox and containers, and about 30+ references to Docker. The underlying theme and call to action in the posts is consistent. It's about Isolation, which keeps content from the Web completely away from the endpoint.
Isolation is a very appealing concept, but until now it's been difficult to implement on a broad scale. One major question is where to do the isolation. Deploying endpoint software to do isolation has been tried with limited success owing to issues with device, OS and application dependencies, as well as the headaches involved in deploying endpoint software. Isolating and executing content away from the endpoint avoids these issues, but the challenge then is to deliver a hi-fidelity experience for users that doesn't look like VDI or break their native experience.
We've worked really hard to address this in the Menlo Security Isolation Platform. With Menlo Security Document Isolation, a cloud service deployed as a simple proxy, we intercept links to documents that you click (PDF or Microsof Office Documents) and in real-time convert these to HTML5 which is delivered, malware-free, to your device. The end result completely preserves the overall appearance of the source document. However any code, macros, etc. (including potential malware) is completely stripped off in the process and never reaches the user. Best part? Deployment takes all of a few minutes and you can be up and running. So everyone on Hacker News (and beyond) can take heart - there is a way to eliminate malware risk from Web documents, without needing any changes to your browser or any other software on your device. It's called the Menlo Security Isolation Platform, and it's available now.