Is a web browser _less_ secure when run within a Flatpak?

Posted May 28, 2025 7:22 UTC (Wed) by daenzer (subscriber, #7050)
In reply to: Is a web browser _less_ secure when run within a Flatpak? by swilmet
Parent article: The future of Flatpak

I was wondering the same thing while reading the article. Comparing the Sandbox section of about:support between the Flatpak and native Fedora versions, the only difference is that "User Namespaces" is false with Flatpak. Everything else is the same, including the "Sandbox Level" values.

I'm not sure about the implications of the lack of user namespaces, offhand it doesn't seem like a big difference though.

Is a web browser _less_ secure when run within a Flatpak?

Posted Jun 2, 2025 23:27 UTC (Mon) by swilmet (subscriber, #98424) [Link]

So in short, what the article says is that there is a workaround for the lack of nested sandboxing, but it's a fragile implementation.

My understanding is that "fragile" means it'll break when the surrounding code changes a bit too much, or when doing some heavy refactorings. Not great security-wise.

And in fact, "There have been issues with this approach for quite a while", the article says.

For the about:support page I'm not sure, Firefox maybe provides the same information for some fields, but internally the details would differ (the fragile side-sandbox for Flatpak, versus the full-blown sandboxing solutions for distro packages). To be confirmed, this is just supposition.