Yep! Should have said Chromium as that's what's installed, but you run chrome from the command line or wherever to run it.
I have a /etc/hosts snippet that blocks google (and facebook) that I append to Steven Blacks hosts list (that's as good as ad-block). Not sure how that google list was formed (many I suspect were mapped using traffic flows), but it does a good job and the browser is much quicker at loading some web pages that otherwise can be very sluggish to load/view. When I do want to do a google type thing I just revert to Steven Blacks list only as a temporary measure. I set /tmp as my chromium disk-cache-dir so pretty much start off with a clean browser at each reboot. I don't store bookmarks in chromimum either, I maintain my own html file for those that shows the date/time in the tab title.
Normally I have tmux and chrome maximised and just flip between the two with alt-tab (and then select the relevant tab/window in either chrome or tmux for the thing I want to do). No root actions within X (that runs as user (no su or doas/sudo)), I use the console (ctrl-alt-F1) only for root actions. Docs/data are stored under root ownership and fed in/out of user's sight on a as-and-when basis.
Chrome(ium) in OpenBSD 6.4 with unveil and pledge is pretty much sandboxed, when running under user ... well privilege elevation in OBSD is tough to say the least (randomised kernel, fileid's, process id's, write xor execute memory separation, no setuid's ...etc. etc.).
Try for instance installing xdotool (for simplicity), open a xterm window and su into root within that. Open another xterm window as user and run something like
to identify the first xterm's window id, and then run
Code: Select all
xdotool windowactivate 6291469 type "$(printf 'date\r')"
but substituting the window id from earlier instead of 6291469 that was the window id in my case. You could have run rm -rf / (DON'T), or targeted perhaps a file manager window running as root to stuff keystrokes to perhaps use its open-terminal-here option and then stuff keystrokes into that root xterm window. A very trivial example of how a single browser flaw (Firefox tend to publish details of how remote code exploits were available in older versions) could open up remote command execution at the level the browser was running under (user), and where that could facilitate elevation to root if another window were running something as root.