In the Omniverse repository a new browser is available, named Floorp.
It's a young project - about 1.5 years old - from a group of Japanese students, based on Firefox-ESR, with these key features from https://floorp.app/en/ (https://floorp.app/en/) :
- Strong Tracking Protection: Floorp offers robust tracking protection, safeguarding users from malicious tracking and fingerprinting on the web.Flexible Layout: Customize Floorp's layout to your heart's content, including moving the tab bar, hiding the title bar, and more for a personalized browsing experience.
- Switchable Design: Choose from five distinct designs for the Floorp interface, and even switch between OS-specific designs for a unique look
- Regular Updates: Based on Firefox ESR, Floorp receives updates every four weeks, ensuring up-to-date security even before Firefox's releases.
- No User Tracking: Floorp prioritizes user privacy by abstaining from collecting personal information, tracking users, or selling user data, with no affiliations with advertising companies.
- Completely Open Source: The full source code for Floorp is open to the public, allowing transparency and enabling anyone to explore and build their own version.
- Dual Sidebar: Floorp features a versatile built-in sidebar for webpanels and browsing tools, making it perfect for multitasking and quick access to bookmarks, history, and websites.
- Flexible Toolbar & Tab Bar: Customize your browser with Tree Style Tabs, vertical tabs, and bookmark bar modifications, catering to both beginners and experts in customization.
- User-Centric Web Experience: Floorp prioritizes user privacy and collaboratively blocks harmful trackers.
Note: the Floorp Settings pages contain some links to recommended extensions.
An article on Floorp:
https://browsertouse.com/blog/24836/floorp-browser-review/ (https://browsertouse.com/blog/24836/floorp-browser-review/)
artist
Good timing as my latest obsession has been sifting through github for firefox userchrome.css modifications in search of a functional minimalist theme and/or top bar. This just has it as default and it works better than the userchrome hackiness I have seen so far.
Very nice :)
Cool! First time I heard of this project. It sounds very interesting, I will have to check this out!
It doesn't look good. Take a look at this:
default connections (first run):
push.services.mozilla.com 443 HTTP <= 1.1 true 0 0
www.google.com 443 HTTP/3 true 1 0
docs.ablaze.one 443 HTTP/3 true 1 0
docs.ablaze.one 443 HTTP/2 true 0 0
detectportal.firefox.com 80 HTTP <= 1.1 false 0 1
floorp-update.ablaze.one 443 HTTP/2 true 1 0
contile.services.mozilla.com 443 HTTP <= 1.1 true 0 0
r3.o.lencr.org 80 HTTP <= 1.1 false 0 1
www.google.com 443 HTTP/2 true 1 0
detectportal.firefox.com 80 HTTP <= 1.1 false 0 0
ablaze.one 443 HTTP/2 true 0 0
ocsp.pki.goog 80 HTTP <= 1.1 false 0 1
firefox.settings.services.mozilla.com 443 HTTP <= 1.1 true 0 0
blog.ablaze.one 443 HTTP/2 true 1 0
ablaze.one 443 HTTP/3 true 1 0
cdn.jsdelivr.net 443 HTTP/2 true 0 0
www.google.com 443 HTTP/2 true 0 0
t3.gstatic.com 443 HTTP/3 true 1 0
www.google.com 443 HTTP/3 true 1 0
t0.gstatic.com 443 HTTP/2 true 0 0
t3.gstatic.com 443 HTTP/2 true 0 0
ocsp.pki.goog 80 HTTP <= 1.1 false 0 2
cdn.jsdelivr.net 443 HTTP/3 true 1 0
detectportal.firefox.com 80 HTTP <= 1.1 false 0 1
raw.githubusercontent.com 443 HTTP/2 true 1 0
location.services.mozilla.com 443 HTTP <= 1.1 true 0 0
t0.gstatic.com 443 HTTP/3 true 1 0
www.google.com 443 HTTP/2 true 1 0
static.cloudflareinsights.com 443 HTTP <= 1.1 true 0 0
shavar.services.mozilla.com
connections after turning homepages:
Hostname Port HTTP Version SSL Active Idle
detectportal.firefox.com 80 HTTP <= 1.1 false 0 1
shavar.services.mozilla.com 443 HTTP <= 1.1 true 0 0
floorp-update.ablaze.one 443 HTTP/2 true 1 0
contile.services.mozilla.com 443 HTTP <= 1.1 true 0 0
t0.gstatic.com 443 HTTP/3 true 1 0
detectportal.firefox.com 80 HTTP <= 1.1 false 0 0
firefox.settings.services.mozilla.com 443 HTTP <= 1.1 true 0 0
www.google.com 443 HTTP/3 true 1 0
www.google.com 443 HTTP/3 true 1 0
r3.o.lencr.org 80 HTTP <= 1.1 false 0 1
ocsp.pki.goog 80 HTTP <= 1.1 false 0 2
detectportal.firefox.com 80 HTTP <= 1.1 false 0 1
location.services.mozilla.com 443 HTTP <= 1.1 true 0 0
t3.gstatic.com 443 HTTP/3 true 1 0
push.services.mozilla.com 443 HTTP <= 1.1 true 0 0
www.google.com 443 HTTP/2 true 1 0
DNS Connections:
(https://i.postimg.cc/PvfqZ1sJ/Floorp-Connections.png) (https://postimg.cc/PvfqZ1sJ)
And a very quick secuiry checking:
security.ssl.require_safe_negotiation >FALSE
security.ssl.treat_unsafe_negotiation_as_broken > FALSE
trr not set to "3" (not sure about your ISP, but it should be the default, not to mention openBSD guys are right and removed the code.. software should obey systemwide settings....).
Should a browser decide connections for me? Should it connect to something, I hadn't even asked it for? Should it estabilish connections before I click anything? My answer is no. And here we even have google...
P.S. Did someone check root certificates? Did someone decompressed omni.ja? Who are those Japanese?
Hmm I've been using browser exclusively since I saw this posted. Is this app a big security risk? Spyware/malware? Phishing? etc? Any word / conclusion.
Yes. Using this browser is a security risk.
Well honestly i don't see anything dubious in that packet cap log, so it's as much of a security risk as stock firefox is (a small one already compared to other mainstream browsers...)
With decent browsers the biggest security risk is generally the user.
You contradict yourself. Programs making their own mind up about DNS by default would not equal "obeying systemwide settings". I want the setting on 5. "Explicitly off". (On the Floorp based new Firedragon it is on 5 by default)
My computers use my my router for DNS. My router uses DNS over TLS with a server of my choice.
Do these things have webassembly built in?
Yes
To disable it in Firefox (and derivatives):
Type about:config in the URL bar and set javascript.options.wasm to false
which is what it should be. It is fallacy that ssl gives security. Often it is insecure. It is nothing for a phishing site to acquire an SSL cert.
Bad certificates should kick up a warning message and not just /dev/null the page. Honestly, SSL is a PIA and I've dozens of valid sites with old SSL certs.
The lets encrypt program is not well thought out or well designed.
It is also laughable, if not sad, that people worried about DNS hijacking (really - sending all you inquiries to 8.8.8.8 is SECURE .... NAH) have no trouble sending every traffic jump in their browser to verisgin et al.
This forum, for example is SSL through Google Trust Services LLC. Do I trust Google? No, Google is in my noscript block. Do I care if anyone can read my packets to and from this forum? NOT AT ALL. I'm posting to a public forum. LET IT FLY.
yeah - thanks for anticipating that question.
based on what? You need to be more specific than that, and explain your position, please, in plain language.
You are kind of stuck then. While this almost sounds rational, it isn't. Every AJAX and SOAP applicaiton - which is nearly the entire internet, uses preboxed video, images, and even scripts, to get function from an otherwise dysfunctional and flat http protocal.
Furthermore, ever since MOSIAC, this html code
<IMG SRC=""URI">MY IMAGE</IMG>
Is not just valid, but ESSENTIAL and it pulls requests and data from any computer on the public internet.
Here:
(http://www.mrbrklyn.com/images/brooklyn/2020_08_fishing/porgie_zilla.png)
That image is compliments of MRBRKLYN and is served to you on a hot platter from Flatbush. NO SSL needed. Enjoy. You didn't ask for it or click on it, but you got it.
This is not the world before hypertext and gophernet.
This is the internet. It has been built with a balancing act of risk versus saftey from the start. But at NO TIME did an http call ever restrict itself to only things you click on. There has always been a cascade of requests.
..... error - sorry