The part that concerns me is that there are lots of activities derived
from Browse at the moment. This means that one of three things is going
to happen:

1) Too much isolation: all of the different browser variants will have
separate profiles

2) Too much sharing: We run them all as the same user and a malicious
one can come along and corrupt the whole shebang

3) Just right: We work out a decent protocol for them to play together

Causing all the instances of *Browse* to run as the same user might be a
decent band-aid for the immediate problem but it is not, in my opinion,
a good solution for the problem of 'we don't know how to make software
using xulrunner play well with others'.
There's a big difference between an annotation that says 'run me as the
same uid each time' and one that says 'run me as _this_ uid every time',
or, equivalently, one that says 'run me as the same uid as that other
guy over there'.

As I suggested above, I don't think the 'run me as the same uid every
time' is anything but a band-aid and I'm happy, for the time being, to
stick with the band-aid that I've got (de-isolating Browse).

The other two 'solutions' have some obvious flaws of their own.
I agree that there's no need to protect one instance from itself, but I
feel quite strongly that it is important to force authors to be explicit
about the communication that takes place between separate instances.

Others should feel free to disagree in the form of justified patches so
that we can publicly consider the merits of their proposal.
If I believed it were feasible from a memory and performance standpoint,
I would definitely be advocating that we start new instances for each
web site visited. State leakage between web pages is one of the major
classes of attacks on web browsers, no?

Michael