Archive for September 4th, 2008

Since I spent a relevant portion of my past two days answering email messages similar to the following, I decided to post a catch-all answer here.

Hi Giorgio,

I just read Google's introduction to its Chrome browser.
I was so impressed with its security features that I may even switch from Firefox to Chrome. (I didn't think that was even possible when I first heard of Chrome.)
Would you consider adapting your NoScript add-on to it?
I tried out Chrome and loved it, but the absence of NoScript was immediately apparent!

Seth

Hi Seth,

I've been playing with Chrome since it's been available, and I cannot say I'm impressed with its security.
I do like its speed, but Fx 3.1 builds with TraceMonkey enabled are already faster.
I really love its taskmanager: opening a random MySpace page and watching CPU and RAM consumption skyrocketing blamed precisely on the Flash plugin (70MB Flash, 28MB the page itself versus 11MB for an empty tab) is kind of cool, even if it comes with the cost of redundant resource allocation (if it was Firefox, crowds would be screaming "memory hog").
On the other hand, there's nothing apparently novel in its security approach, and it doesn't address any in-browser security problem, such as XSS or CSRF, at all.

The worst part, though, is that Chrome is not nearly as extensible as Firefox: cynical people may suspect this is to prevent something like AdBlock Plus or NoScript itself to be ported, biting advertisement bottom lines.
This is such a bummer that Google had to issue a late announcement about an extension API, but if it's gonna be like Opera's widgets (as I strongly suspect) it won't help.

BTW, one of Chrome's most hyped features, stability due to the claim you might crash one tab but not the whole browser, fully justifies the "beta" tag:
Chrome Crash

Cheers
--
Giorgio

Bad Behavior has blocked 951 access attempts in the last 7 days.