Most of those are not actually software security features, but rather policy differences between Mozilla and Google. Those that aren't policy decision, are either not security features, or is features not implemented first in chrome (through chrome was first using it in default installation). Chrome get a half point regarding tab isolation.
Tab isolation by process is something between a security feature and a vulnerability mitigation feature, through I would likely call it a vulnerability mitigation feature. It doesn't do anything to prevent exploits, but it does prevent further exploits once a vulnerability has been exploited. Still its a nice thing to have (like insurance after the house has burned down) and is something Firefox should implement.
HSTS is nice, and now included by default in most browsers (chrome, firefox, opera). Personally, using noscript, security aware firefox people have had HSTS before firefox 2 was release. That is 2 years before chrome existed. It also exist in https-everywhere.
Regarding Cert pinning, I can't say I am a fan. Its a whitelist approach to security, where Google decide who is important enough to be privileged for improved security. Chrome was aware about the scaling issue from the begining, and has improved the situation by the Cert pinning extension RFC draft. Once/if it get finalized and more security professionals go through it, it will be interesting to see how it scales, what corner cases there is, and if the caching effect will come back and haunt people.
As for the rest... Chrome led the way of auto-update without first informing the user, while Firefox poped up a request for update. In real world security, this is an improvement because the user can't be trusted with deciding if the program shall update. Google has acknowledge that this only a useful feature on windows/Apple, and has this disabled on linux, assuming because a linux user can be trusted with the decision about updating. This is not a software difference between firefox and chrome, but rather a policy difference between Google and Mozilla.
And to comment the last features, PDF and Flash. Google has not written their own Flash handler. They have however bundled it with chrome and thus made sure its updated. This is something Firefox simply can't do thanks to license costs, which mean its mostly a difference between Google and Mozilla as organizations rather than a software improvement of Chrome. I am not sure if the same is true regarding PDF.
Tab isolation by process is something between a security feature and a vulnerability mitigation feature, through I would likely call it a vulnerability mitigation feature. It doesn't do anything to prevent exploits, but it does prevent further exploits once a vulnerability has been exploited. Still its a nice thing to have (like insurance after the house has burned down) and is something Firefox should implement.
HSTS is nice, and now included by default in most browsers (chrome, firefox, opera). Personally, using noscript, security aware firefox people have had HSTS before firefox 2 was release. That is 2 years before chrome existed. It also exist in https-everywhere.
Regarding Cert pinning, I can't say I am a fan. Its a whitelist approach to security, where Google decide who is important enough to be privileged for improved security. Chrome was aware about the scaling issue from the begining, and has improved the situation by the Cert pinning extension RFC draft. Once/if it get finalized and more security professionals go through it, it will be interesting to see how it scales, what corner cases there is, and if the caching effect will come back and haunt people.
As for the rest... Chrome led the way of auto-update without first informing the user, while Firefox poped up a request for update. In real world security, this is an improvement because the user can't be trusted with deciding if the program shall update. Google has acknowledge that this only a useful feature on windows/Apple, and has this disabled on linux, assuming because a linux user can be trusted with the decision about updating. This is not a software difference between firefox and chrome, but rather a policy difference between Google and Mozilla.
And to comment the last features, PDF and Flash. Google has not written their own Flash handler. They have however bundled it with chrome and thus made sure its updated. This is something Firefox simply can't do thanks to license costs, which mean its mostly a difference between Google and Mozilla as organizations rather than a software improvement of Chrome. I am not sure if the same is true regarding PDF.