Out-of-Process iframes (OOPIFs)
Out-of-Process iframes (OOPIFs)
This page provides an overview of Chromium's support for out-of-process iframes (OOPIFs), which allow a child frame of a page to be rendered by a different process than its parent frame. OOPIFs were motivated by security goals like the Site Isolation project, since they allow a renderer process to be dedicated to a single web site, even when cross-site iframes are present. OOPIFs are a general mechanism, though, and can be used for other features than security (e.g., the <webview> tag in Chrome Apps). Supporting OOPIFs required a large architecture change to Chromium. At a high level, the browser process now tracks subframes directly, and core parts of the browser (e.g., painting, input events, navigation, etc) have been updated to support OOPIFs. Many other features in Chromium now combine information from frames in multiple processes when operating on a page, such as Accessibility or Find-in-Page.
StatusCurrent UsesThe first use of OOPIFs was --isolate-extensions mode, which launched to Chrome Stable in M56. This mode uses OOPIFs to keep web iframes out of privileged extension processes, which offers a second line of defense against malicious web iframes that might try to compromise an extension process to gain access to extension APIs. This mode also moves extension iframes on web pages into extension processes.
Experimental UsesWe are currently running field trials to use OOPIFs rather than the plugin infrastructure to implement GuestViews (e.g., <webview> tags in Chrome Apps). This mode is primarily an architectural cleanup, and it should provide better feature support within GuestViews in the long term. This can be enabled as "Cross process frames for guests" in about:flags.
For performance experiments, the --top-document-isolation command line flag puts all cross-site iframes across all tabs into a single subframe process. The goal is to keep the main document in each tab responsive despite potentially slow iframes. Note that this is still an early prototype, and we are still investigating the tradeoff between the extra parallelism and memory overhead to determine if there are cases this is worthwhile. Note that OOPIFs cannot be used for same-site frames (which may synchronously script each other), and we have no current plans to use them for cross-thread frames in the same process. This mode can also be enabled as "Top document isolation" in about:flags.
Beyond this, the --site-per-process command line flag enables an experimental security mode that causes all renderer processes to be dedicated to a single site. This provides strong isolation for all web sites, but it tends to create many more renderer processes than Chromium's default process model. Before launching this mode, we are likely to limit it to only isolating a subset of high-value or high-risk sites. This mode can also be enabled as "Out of process iframes" in about:flags.
Please file any bugs observed in these modes using the component Internals>Sandbox>SiteIsolation.
Project Resources
Architecture OverviewFrame RepresentationMuch of the logic in the content module has moved from being tab-specific to frame-specific, since each frame may be rendered in different processes over its lifetime. ProxiesDocuments that have references to each other (e.g., from the frame tree, window.opener, or named windows) can interact via JavaScript. When the documents are same-site, they must live in the same process to allow synchronous access. When they are cross-site, they can live in different processes but need a way to route messages to each other, for calls like postMessage. Same-site documents with references to each other are grouped together using the SiteInstance class, as described on the Process Models page. To support cross-process interactions like postMessage on a document's DOMWindow, Chromium must keep a proxy for the DOMWindow in each of the other processes that can reach it. As shown in the diagram at right, this allows a document from site A to find a proxy in its own process for a DOMWindow that is currently active on site B. The proxy can then forward the postMessage call to the browser and then to the correct document in the process for site B. OOPIFs require each renderer process to keep track of proxy DOMWindows for all reachable frames, both main frames and subframes. Browser ProcessChromium keeps track of the full frame tree for each tab in the browser process. WebContents hosts a tree of FrameTreeNode objects, mirroring the frame tree of the current page. Each FrameTreeNode contains frame-specific information (e.g., the frame's name, origin, etc). Its RenderFrameHostManager is responsible for cross-process navigations in the frame, and it supports replicating state and routing messages from proxies in other processes to the active frame.
Renderer ProcessIn each renderer process, Chromium tracks of proxy DOMWindows for each reachable frame, allowing JavaScript code to find frames and send messages to them. We try to minimize the overhead for each of the proxy DOMWindows by not having a document, widget, or full V8 context for them. Frame-specific logic in the content module's RenderView and RenderViewHost classes has moved into routable RenderFrame and RenderFrameHost classes. We have one full RenderFrame (in some process) for every frame in a page, and we have a corresponding but slimmed down RenderFrameProxy as a placeholder in the other processes that can reference it. These proxies are shown with dashed lines in the diagram below, which depicts one BrowsingInstance (i.e., group of related windows) with two tabs, containing two subframes each. Inside BlinkBlink has LocalFrame and LocalDOMWindow classes for frames that are in-process, and it has RemoteFrame and RemoteDOMWindow classes for the proxies that live in other renderer processes. The remote classes have very little state: generally only what is needed to service synchronous operations. A RemoteDOMWindow does not have a Document object or a widget. Blink has the ability to swap any frame between the local and remote versions. (This replaces the old "swapped out RenderViewHost" implementation that Chromium used for cross-process navigations.) It is worth noting that the <webview> implementation is being migrated to work on top of the new OOPIF infrastructure. For the most part, Blink code will be able to treat a <webview> similar to an <iframe>. However, there is one important difference: the parent frame of an <iframe> is the document that contains the <iframe> element, while the root frame of a <webview> has no parent and is itself a main frame. It will likely live in a separate frame tree. This support for OOPIFs and <webview> has several major implications for Blink:
Some earlier information on the refactoring goals can be found in the FrameHandle design doc, however that is largely obsolete.
Note: We are attempting to minimize the memory requirements of RemoteFrames and RemoteDOMWindows, because there will be many more than in Chromium before OOPIFs. Before, the space required for swapped out RenderViewHosts was O(tabs * processes) within a BrowsingInstance, and most BrowsingInstances only contain 1 or 2 tabs. OOPIFs will require O(frames * processes) space for proxies. This could be much higher, because the number of frames can be much larger than the number of tabs, and because the number of processes will increase based on cross-site frames. Fortunately, RemoteFrames require far less memory than LocalFrames, and not all cross-site iframes will require separate processes.
NavigationChromium now has support for cross-process navigations within subframes when using the --isolate-extensions or --site-per-process flags. Rather than letting the renderer process intercept the navigation and decide if the browser process should handle it, all navigations will be intercepted in the browser process's network stack. If the navigation crosses a site boundary that requires isolation (according to our Site Isolation policy), the browser process will swap the frame's renderer process. This can be done because the browser process knows the full frame tree, as described above. Until PlzNavigate launches, this is implemented using CrossSiteResourceHandler to transfer navigations to a different process when needed. A tab's session history also becomes more complicated when subframes may be rendered by different processes. Currently, Blink takes care of tracking the frame tree in each HistoryItem in the renderer process, and the browser process just tracks each back/forward entry using NavigationEntry. We are removing the frame tracking logic from Blink's HistoryController to keep track of each frame's navigations in the browser process directly. We will also change the representation of a tab's session history to more closely match the HTML5 spec. Rather than cloning the frame tree for each HistoryItem, we will keep track of each frame's session history separately in the browser process, and we will use a separate "joint session history" list for back and forward navigations. Each entry in this list will have a tree of pointers to each frame's corresponding session history item. We expect this to require changes to the session restore logic as well. All details of navigation refactoring are described in this design document. RenderingTo render an iframe in a different process than its parent frame, the browser process passes information back and forth between the renderer processes and helps the GPU process composite the images together in the correct sizes and locations. We use the Surfaces implementation to maintain a set of textures from multiple renderer processes, compositing them into a single output image. More details are available in this design document. Input EventsSimilar to rendering, we use the Surfaces implementation to do hit testing in the browser process to deliver input events directly to the intended frame's renderer process. We are also starting to manage focus in the browser process to send keyboard events directly to the renderer process of the focused frame. More details are available in this design document. |
Out-of-Process iframes (OOPIFs)的更多相关文章
- Rendering and compositing out of process iframes
For Developers > Design Documents > Out-of-Process iframes (OOPIFs) > Rendering and ...
- Design Doc: Session History for Out-of-Process iframes
Design Doc: Session History for Out-of-Process iframes Charlie Reis, May 2014 This document outlines ...
- Chromium网页Frame Tree创建过程分析
Chromium在加载一个网页之前,需要在Browser进程创建一个Frame Tree.Browser进程为网页创建了Frame Tree之后,再请求Render进程加载其内容.Frame ...
- Site Isolation Design Document
This design document covers technical information about how Site Isolation is built. For a general ...
- IIS启动失败,启动Windows Process Activation Service时,出现错误13:数据无效 ;HTTP 错误 401.2 - Unauthorized 由于身份验证头无效,您无权查看此页
因为修改过管理员账号的密码后重启服务器导致IIS无法启动,出现已下异常 1.解决:"启动Windows Process Activation Service时,出现错误13:数据无效&quo ...
- C#的Process类调用第三方插件实现PDF文件转SWF文件
在项目开发过程中,有时会需要用到调用第三方程序实现本系统的某一些功能,例如本文中需要使用到的swftools插件,那么如何在程序中使用这个插件,并且该插件是如何将PDF文件转化为SWF文件的呢?接下来 ...
- C# ShellExcute与Process
C#运行外部程序的两种方法 ShellExecute using System.Runtime.InteropServices; public enum ShowWindowCommands : in ...
- 【手记】调用Process.EnterDebugMode引发异常:并非所有引用的特权或组都分配给呼叫方
刚上线一个新版本,其中有台电脑打开软件就报[xx的类型初始值设定项引发异常](还好不是一大波电脑,新东西上线就怕哀鸿遍野),如图: 显然是该类型的静态构造函数中抛异常了(红线处就是类名),遂打开该类, ...
- C# - 多线程 之 Process与Thread与ThreadPool
Process 进程类, // 提供对本地和远程进程的访问,启动/停止本地系统进程 public class Process : Component { public int Id { get; } ...
随机推荐
- ios学习--第三方框架-MBProgressHUD以及扩展
MBProgressHUD提示框官网地址:https://github.com/jdg/MBProgressHUD 一. 模式 首先, MBProgressHUD有以下几种视图模式. typedef ...
- Kali linux 2016.2(Rolling)中的Exploits模块详解
简单来将,这个Exploits模块,就是针对不同的已知漏洞的利用程序. root@kali:~# msfconsole Unable to handle kernel NULL pointer der ...
- java基础——单例设计模式(懒汉式)
public class Test7 { // 主函数 public static void main(String[] args) { Test7.getInstance().function(9, ...
- ubuntu上配tensorflow
前一阵绕了大弯路,基本弄好了UEFI双系统后,面对的就是CUDA咋装在Linux. 好在教程好多,有些朋友建议先装CUDA再装显卡驱动.弄好之后记录一下详细过程吧. *** 这两天看了一些教程,还是感 ...
- NEON基本知识
http://blog.csdn.net/EmSoftEn/article/details/51834171 http://blog.csdn.net/yxnyxnyxnyxnyxn/article/ ...
- 找出在使用临时表空间的SQL
SELECT a.username, a.sid, a.serial#, a.osuser, b.tablespace, b.blocks, c.sql_text FROM v$session a, ...
- NodeJS学习笔记 (7)网络服务-http-client(ok)
原文:https://github.com/chyingp/nodejs-learning-guide 自己敲代码: ClientRequest概览 当你调用 http.request(options ...
- POJ-2318 TOYS 计算几何 判断点在线段的位置
题目链接:https://cn.vjudge.net/problem/POJ-2318 题意 在一个矩形内,给出n-1条线段,把矩形分成n快四边形 问某些点在那个四边形内 思路 二分+判断点与位置关系 ...
- UVA-1602 Lattice Animals 搜索问题(打表+set)
题目链接 https://vjudge.net/problem/UVA-1602 紫书的一道例题,跟之前的很多题目有很多不同. 本题不像是一般的dfs或bfs这样的搜索套路,而是另一种枚举思路. 题意 ...
- 关于JWT(Json Web Token)的思考及使用心得
什么是JWT? JWT(Json Web Token)是一个开放的数据交换验证标准rfc7519(php 后端实现JWT认证方法一般用来做轻量级的API鉴权.由于许多API接口设计是遵循无状态的(比如 ...