In the modern threat environment, any browser should come with a strong sandbox and other exploit mitigations, for the safety of its users.

I feel a bit bad about making such a complex feature request on a project such as this, but I also want Ladybird’s security, and its users’s safety, to not rely merely on its small market share. While I have not used SerenityOS or Ladybird, the progress that you have made is impressive, and I do not mean to speak negatively of your accomplishments!

Thanks for the encouragement.

Ladybird already has several mitigations in place, such as running WebContent (rendering) in a separate process. Each Tab is currently in its own process, though of course that's not quite right for same-page browser contexts. On SerenityOS, the Browser runs image decoding, network transactions and web sockets in their own processes as well. We also have an OpenBSD-like pledge and unveil system that is heavily used by the Browser. Have a look at the Mitigations man page. We also run most of the included libraries through oss-fuzz

I'm not sure if your feature request is particularly actionable? Sandboxing and security mitigations are certainly in the minds of the developers. However, per the Contributing.md of ladybird here and in serenity, we don't take feature requests from non-developers. Your comment on market share is also a bit confusing. Ladybird and SerenityOS are not seeking any kind of market share, it's a browser and operating system for developers by developers. If you have any specific mitigations in mind that it looks like we haven't implemented yet, feel free to hop on the SerenityOS discord in the #browser or #js channels and the folks there will probably be interested enough to make an issue in the main serenity repository for each strategy, or explain how we're already on top of it.

Thanks for the encouragement.

You’re welcome!

Ladybird already has several mitigations in place, such as running WebContent (rendering) in a separate process. Each Tab is currently in its own process, though of course that's not quite right for same-page browser contexts. On SerenityOS, the Browser runs image decoding, network transactions and web sockets in their own processes as well. We also have an OpenBSD-like pledge and unveil system that is heavily used by the Browser. Have a look at the Mitigations man page. We also run most of the included libraries through oss-fuzz

Nice! I would say you are very much ahead of the curve, then.

I'm not sure if your feature request is particularly actionable? Sandboxing and security mitigations are certainly in the minds of the developers.

Glad to know!

However, per the Contributing.md of ladybird here and in serenity, we don't take feature requests from non-developers.

That is 100% fair. Sorry for not reading that first. It is great that you are up-front about this; I’ve had negative experiences with projects where this was an unwritten rule.

Your comment on market share is also a bit confusing.

Exploit writers are more likely to target something that more people use, as the return on investment is much higher.

Ladybird and SerenityOS are not seeking any kind of market share, it's a browser and operating system for developers by developers.

And that is a completely valid choice to make. Thanks for your incredibly well thought-out response, and sorry if I wasted your time.