Are there any plans to sandbox the content handling (e.g. HTML parsing and image loading) in a separate process to mitigate e.g. memory-safety issues and other security problems?
Firefox [1] and Chrome [2] use seccomp-bpf and various other Linux-specific APIs to implement their sandboxes. FreeBSD provides Capsicum [3] for this, but it's not supported by Firefox or Chrome.
Maybe Dillo could use the newer Landlock API [4] on Linux, which is being evaluated [5] for Chrome. This API seems more similar to Capsicum, so it might make it easier to support FreeBSD as well.
Yes, we did some experiments with pledge and landlock, but we need to redesign some parts to be able to properly isolate them into separate processes first.
In the short term you can disable CSS or images from the menu. You can also disable specific image decoders from the configuration with the "ignore_image_formats" option.
Firefox [1] and Chrome [2] use seccomp-bpf and various other Linux-specific APIs to implement their sandboxes. FreeBSD provides Capsicum [3] for this, but it's not supported by Firefox or Chrome.
Maybe Dillo could use the newer Landlock API [4] on Linux, which is being evaluated [5] for Chrome. This API seems more similar to Capsicum, so it might make it easier to support FreeBSD as well.
[1] https://wiki.mozilla.org/Security/Sandbox
[2] https://chromium.googlesource.com/chromium/src/+/refs/heads/...
[3] https://wiki.freebsd.org/Capsicum
[4] https://docs.kernel.org/userspace-api/landlock.html
[5] https://issues.chromium.org/issues/345514921