6

First of all i would like to thank the Orion team as it seems that Orion browser is amazing so far!
I would like to send a report from BrowserAudit and share my worries as for the critital issues i received using Orion under desktop macbook pro intel.

And the warnings

Thank you for your time!

    The results under IOS are almost excellent:

    • Vlad replied to this.

      wgdev What is browser audit, why is it relevant and what exactly is your concern?

      Please structure this bug report in a way that it is clear what your ask is. Thanks.

          Hello Vlad,
          Really appreciate for your reply.
          BrowserAudit is a free service for testing how well the most common security standards and features are implemented in a web browser.
          Orion is a browser as well as Safari and Firefox where i repeat the same tests and the reports return me no critical issues.
          Thank you.

          • Vlad replied to this.

              Vlad

              Ah why!
              I get the following and I have disabled the extensions used the same on Firefox as well. It's ublock origin and keepassxc.

              [link removed]

              • Vlad replied to this.

                  wgdev When you find out why/steps to reproduce let us know 🙂

                      Vlad
                      i wish i could! 🙂 I would have done that already! 😃

                          Orion Version 0.99.121.1-beta (WebKit 614.1.20)
                          on Ventura 13.0.1 (22A400)

                          Created a new browser profile (entirely empty)
                          Visited https://browseraudit.com and proceeded with default settings

                          The "critical" reports are all relating to same origin policy:

                          • 1x cookie illegal domain value (a cookie set for domain .test.browseraudit.com, set by domain browseraudit.com was sent to test.browseraudit.com)
                          • 12x XHR-related ones, which seem to be saying that (in short) as long as served over HTTPS, websites could make XHR requests to other domains and subdomains, which shouldn't be possible.

                          My understanding is that these requests indeed should be blocked, to prevent XHR across domains.

                          If I repeat this in "private browsing" mode in Orion, I get:

                          Therefore I think there are some settings that private browsing applies which resolve some of these issues. I imagine that private mode has some stricter SOP rules, which other browsers are applying by default.

                          For comparison, STP in regular non-private mode (Release 158 (Safari 16.4, WebKit 18615.1.12.110.1))

                          The latest Orion update appears to have resolved this in a non-private window:

                          Thank you! Orion meet the perfection! 🙂

                            4 months later

                            Hi - I noticed the browseraudit scores for Orion as well, and ran it on a profile with no extensions installed and got this result:

                            I ran it again in a private window and got this:

                            I am no developer so cannot speak to what exactly it is testing or what it means, but I can say that I ran the same test in Safari (16.4) and it passed 377, had 7 warnings, 0 critical, and skipped 20.

                            Interestingly, Vivaldi and Edge both had critical issues too when I ran it.

                            So, do with this info what you want, I just thought I would give an update.

                              getting even more with no extension:

                              Safari:

                                Going to mark this for next release as the webkit upgrade seems to have handled this.

                                  a month later

                                  Just got access to the current RC, and browseraudit looks even a little better:

                                  No one is typing