Google sandboxes Flash Player in latest Chrome builds

Google said on Wednesday that it has worked with Adobe to sandbox Flash Player in development builds of its Chrome browser application.

Google has been working with Adobe for nearly 8 months to ensure Flash Player takes advantage of the new sandboxing technology in Chrome. Google has previously sandboxed HTML rendering and JavaScript execution to provide its Chrome browser with extra security features. "This initial Flash Player sandbox is an important milestone in making Chrome even safer. In particular, users of Windows XP will see a major security benefit, as Chrome is currently the only browser on the XP platform that runs Flash Player in a sandbox," wrote Justin Schuh, software engineer at Google in a company blog posting.

Chrome's sandboxing technology protects sensitive resources and information from being accessed by malicious code in the browser. The sandboxing technique is a first protection against malware, viruses and adware for users. Flash Player uses a specially modified version of Chrome's sandbox technology. Google says the technology is included on the Windows XP, Vista and 7 versions of Chrome. "We’re working to improve protection against additional attack vectors, and will be using this initial effort to provide fully sandboxed implementations of the Flash Player on all platforms."

Users can get the latest version of Chrome by installing the dev channel builds of Chrome over at Google's Chromium site. Google says those wishing to disable the sandbox can do so by adding '-disable-flash-sandbox' to the executable in the command line .

Report a problem with article
Previous Story

Kinect optical camouflage hack makes you invisible

Next Story

Gingerbread spotted in Google demo video

19 Comments

Commenting is disabled on this article.

LaP said,
Does it prevent flash cookies to be written to the hard drive ?
Um, of course not. Google is the biggest web tracking company in the world. Would make no sense for them to do that.

That explains why flash/chrome is now crashing a lot for me but I am sure they will get it solved. The joy of dev builds

I assume this feature is enabled on the Windows builds of Google Chrome 9.0.597.0 dev then, which was released in tandem with that blog post.

The first comment on the blog post should be noted though: "Note that the sandbox breaks the flash Settings control panels, security exceptions (for controlling flash via javascript on local files), and flash file browse dialogs."

So... Remember that this is still a dev build.

Northgrove said,
I assume this feature is enabled on the Windows builds of Google Chrome 9.0.597.0 dev then, which was released in tandem with that blog post.

The first comment on the blog post should be noted though: "Note that the sandbox breaks the flash Settings control panels, security exceptions (for controlling flash via javascript on local files), and flash file browse dialogs."

So... Remember that this is still a dev build.

I am not sure how Google is implementing their plugin technology, but if they properly implement a mediation system for plugins, then breaks in Flash should be easily adjusted to request additional security/out of sandbox permissions when needed with restrictions.

(IE uses a plugin/addon broker technology for handling things like Flash and other technologies that sometimes have legitimate reasons to go outside of the limited security IE protected mode runs in.)

is this the reason behind the 'xxxx could not be read' kernel messages and the increase in memory usage? sometimes I forget I use the dev channel

Correct me if I'm wrong but Chromium is the successor to the chrome browser right?

I've never understood the difference between the two.

Ently said,
Correct me if I'm wrong but Chromium is the successor to the chrome browser right?

I've never understood the difference between the two.


Google Chrome is based off of the Chromium project, which is the open-source code for the browser.

Ently said,
Correct me if I'm wrong but Chromium is the successor to the chrome browser right?

I've never understood the difference between the two.


Chrome=Chromium+Google features

This a great news all round.

I wonder what the hits will be for performance in the sandbox. Don't get me wrong, I'm all for safer browsing. I'm just curious about the cost in performace.

mranderson1st said,
This a great news all round.

I wonder what the hits will be for performance in the sandbox. Don't get me wrong, I'm all for safer browsing. I'm just curious about the cost in performace.


Flash's main problem for most of it's uses is graphic performance and aside from 3D computation and intense alpha blending it shouldn't affect that much. Even logical operations shouldn't be affected much although I'm sure there will be some sort of hit.

mranderson1st said,
This a great news all round.

I wonder what the hits will be for performance in the sandbox. Don't get me wrong, I'm all for safer browsing. I'm just curious about the cost in performace.

a security sandbox has no performance cost.

On Internet Explorer, flash player, adobe reader and many other plugins (except java) are sandboxed since IE7/Vista (IE protected mode)... 4 years late google!

link8506 said,

a security sandbox has no performance cost.

On Internet Explorer, flash player, adobe reader and many other plugins (except java) are sandboxed since IE7/Vista (IE protected mode)... 4 years late google!

Technically, all plugins are sandboxed in IE protected mode.

However, depending on how the plugin broker is implemented (with MS approval), some plugins can have some limited access outside of protected mode. Even then, what limited features of the plugin that are 'brokered' to run outside of protected mode they are monitored and at the most can only obtain user level security.

Some plugins can use the broker to 'request' higher privledges, but again these are monitored, and will force a user prompt for the security request increase.