Vux wrote:I wonder what's more secure: Firefox with NoScript or Chrome with its superior sandboxing and security features?
Chrome as no "superior" security features over Firefox+NoScript, sandboxing aside (Firefox will get some in 3.7, probably).
To say it all, NoScript as many more security features than Chrome (e.g. ClearClick
), and the Google crew had even to disable their "XSS Auditor" filter (which already was quite easy to bypass) because of serious performance problems, so serious XSS protection
is again a bullet point for NoScript (IE8's competition on that side is a gun aimed at your feet
Most important, sandboxing is definitely overrated (yes, SandboxIE, I'm looking at you).
In this Web 2.0+ age, the ability to touch your hard disk and other system resources (which is what sandboxes try to impair) is not very important anymore: your in-browser password store and the services you access online (e.g. credit card transactions) are the most valuable targets, and an attacker can "own" them even without the need of a browser exploit (a web application vulnerability is enough). Of course, a browser vulnerability is a bonus, but manipulating to the browser process is more than enough, and no sandboxing can help you with that.
Notice that I've been talking about this stuff
already more than two years ago
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:22.214.171.124) Gecko/20100401 Firefox/3.6.3