> If every web page had its own full chroot/jail (or equivalent), then they would be as secure as native applications.
This is exactly what Chrome has always done and other browsers are adopting: plugins have long had to have elevated privileges (I'm no expert on why), but if you exploit an image rendering or font library, you get nothing, because the browser and each tab's renderer are separate processes, and the latter are heavily sandboxed through the OS. This bug is impressive and the first of its kind because it doesn't attack a plugin, but the sandbox itself, (indirectly) through the IPC mechanism. In that sense it's not much different from attacking the iOS sandbox: web pages have more access to cross-origin communications (and other functionality that must pass through the sandbox, such as downloads), and there seem to generally be more situations where the renderer has to synchronize with the browser, but that's mostly a matter of degree.
Chrome's sandbox is not equivalent to having a separate jail for every web site. It is designed to prevent web content from attacking non-browser apps and data, not to prevent one web page from attacking another (though Chrome, like all browsers, has other mechanisms to do this).
Chrome does not guarantee one process per tab, or even per origin. If you reach its internal process limit -- or if a page does something like window.open() that gives it a reference to another tab -- then it will render multiple sites in the same processes, not sandboxed from each other: http://code.google.com/p/chromium/issues/detail?id=81877
This is exactly what Chrome has always done and other browsers are adopting: plugins have long had to have elevated privileges (I'm no expert on why), but if you exploit an image rendering or font library, you get nothing, because the browser and each tab's renderer are separate processes, and the latter are heavily sandboxed through the OS. This bug is impressive and the first of its kind because it doesn't attack a plugin, but the sandbox itself, (indirectly) through the IPC mechanism. In that sense it's not much different from attacking the iOS sandbox: web pages have more access to cross-origin communications (and other functionality that must pass through the sandbox, such as downloads), and there seem to generally be more situations where the renderer has to synchronize with the browser, but that's mostly a matter of degree.