Site Isolation Design Document
This design document covers technical information about how Site Isolation is built. For a general overview of Site Isolation, see https://www.chromium.org/Home/chromium-security/site-isolation.
Motivation
Threat Model
- Stealing cross-site cookies and HTML5 stored data. We can prevent a renderer process from receiving cookies or stored data from sites other than its own.
- Stealing cross-site HTML, XML, and JSON data. Using MIME type and content sniffing, we can prevent a renderer process from loading most sensitive cross-site data. We cannot block all cross-site resources, however, because images, scripts, and other opaque files are permitted across sites.
- Stealing saved passwords. We can prevent a renderer process from receiving saved passwords from sites other than its own.
- Abusing permissions granted to another site. We can prevent a renderer process from using permissions such as geolocation that the user has granted to other sites.
- Compromising X-Frame-Options. We can prevent a renderer process from loading cross-site pages in iframes. This allows the browser process to decide if a given site can be loaded in an iframe or not based on X-Frame-Options headers.
- Accessing cross-site DOM elements via UXSS bugs. An attacker exploiting a universal cross-site scripting bug in the renderer process will not be able to access DOM elements of cross-site pages, which will not live in the same renderer process.
Requirements
Chrome's Current Status
- Cross-site iframes are usually hosted in the same process as their parent document.
- Most renderer-initiated navigations (including link clicks, form submissions, and script navigations) are kept within the current process even if they cross a site boundary. This is because other windows in the same process may attempt to use postMessage or similar calls to interact with them.
- If too many renderer processes have been created, Chrome starts to reuse existing processes rather than creating new ones. This reduces memory overhead.
Project Tasks
- Cross-Process Navigations
Any navigation to a different web site requires a process swap in the current tab or frame.
Status: Complete. Cross-process navigations are supported in all frames, and they are used to keep privileged WebUI or extension pages isolated from web pages. They are also used opportunistically for cross-site browser-initiated (e.g., Omnibox) navigations. - Cross-Process JavaScript
As mentioned above, some window and frame level interactions are allowed between pages from different sites. Common examples are postMessage, close, focus, blur, and assignments to window.location, notably excluding any access to page content. These interactions can generally be made asynchronous and can be implemented by passing messages to the appropriate renderer process.
Status: Complete. Chrome supports all required interactions, including frame placeholders, postMessage, close, closed, focus, blur, and assignments to window.location between top-level windows in different processes. - Out-of-Process iframes
Iframes have separate security contexts from their parent document, so cross-site iframes must be rendered in a different process from their parent. It is also important that an iframe that is from the same origin as a popup window shares a process with the popup window and not its own parent page. We render these out-of-process iframes in a separate RenderFrame composited into the correct visual location, much like plugins. This is by far the largest requirement for supporting site-per-process, as it involves a major architecture change to the Chrome and Blink codebases.
Status: Mostly complete. The first uses of Out-of-Process iframes (OOPIFs) have launched in Chrome 56, isolating extensions from web content. We are now working to fix the remaining known issues in OOPIF support. Tracked at https://crbug.com/99379. - Cross-Origin Read Blocking
While any given site is allowed to request many types of cross-site resources (such as scripts and images), the browser process should prevent it from receiving cross-site HTML, XML, and JSON data (based on a combination of MIME type and content sniffing).
Status: Our initial Cross-Site Document Blocking Policy has evolved into Cross-Origin Read Blocking (CORB), with a CORB Explainer. This is implemented for non-compromised renderer processes when Site Isolation is enabled, as of Chrome 63. The remaining work is tracked at https://crbug.com/268640. - Browser Process Enforcements
Some of Chrome's security checks are performed in the renderer process. When a process is locked to a given site, the browser process can enforce many of these checks itself, limiting what a compromised renderer process can achieve in an attack. This includes attempts to access site specific stored data and permissions, as well as other attempts to lie to the browser process.
Status: Some enforcements are in place, but more are tracked in https://crbug.com/786673. - Improved Renderer Process Limit Policy
We have investigated ways to limit number of extra processes Chrome creates in Site Isolation modes. One option is to support modes that only isolate a set of origins or sites (i.e., --isolate-origins) rather than all sites (i.e., --site-per-process). However, we are currently leaning towards isolating all sites given our current findings. Note that a page from one site may reuse a process that has already been used for that same site, and we aggressively reuse processes in this way for subframes when possible. Note that processes will not be reused for cross-site pages.
Status: We are currently aiming to isolate all sites, allowing process reuse only for pages from the same site.
Performance
How to Enable
Development Resources
- Site Isolation FYI bots: Linux and Windows
- Site Isolation try bot: linux_site_isolation
2015 Site Isolation Summit Talks
Chromium Changes for OOPIF
Blink Changes for OOPIF
Blink Changes for OOPIF
Discussions/Questions
Site Isolation Design Document的更多相关文章
- Agile software architecture design document style..( sketches and no UMLs)
http://www.infoq.com/articles/agile-software-architecture-sketches-NoUML If you're working in an agi ...
- How Blink works
How Blink works Author: haraken@ Last update: 2018 Aug 14 Status: PUBLIC Working on Blink is not eas ...
- Design Doc: Session History for Out-of-Process iframes
Design Doc: Session History for Out-of-Process iframes Charlie Reis, May 2014 This document outlines ...
- Quality in the Test Automation Review Process and Design Review Template
About this document Prerequisite knowledge/experience: Software Testing, Test Automation Applicable ...
- puppeteer(五)chrome启动参数列表API
List of Chromium Command Line Switches https://peter.sh/experiments/chromium-command-line-switches/ ...
- CEF 支持的命令行参数
参考:https://peter.sh/experiments/chromium-command-line-switches/ List of Chromium Command Line Switch ...
- 06 Frequently Asked Questions (FAQ) 常见问题解答 (常见问题)
Frequently Asked Questions (FAQ) Origins 起源 What is the purpose of the project? What is the history ...
- Capabilities & ChromeOptions
https://sites.google.com/a/chromium.org/chromedriver/capabilities http://stackoverflow.com/questions ...
- List of Chromium Command Line Switches(命令行开关集)——官方指定命令行更新网址
转自:http://peter.sh/experiments/chromium-command-line-switches/ There are lots of command lines which ...
随机推荐
- ZBrush通过遮罩得到子物体
ZBrush 中通过遮罩为模型添加子物体的方法简单且方便,我们可以通过按住Ctrl键绘制遮罩结合相关命令创建具有抽出厚度的模型提取出作为子物体附在模型表面.本文将详细介绍在Zbrush中如何通过遮罩得 ...
- Eclipse中合并GIT分支
合并GIT分支: 1. 切换到主分支: 2. 右击项目——Team——Merge…: 3. 在弹出的Merge框中选择要合并的分支——Merge: 4. 合并后如果出现冲突,右击项目——Tea ...
- failed to push some refs to 'git@github.com:RocsSun/mytest.git
Git推送到GitHub仓库失败 使用Git将文件推送至GitHub的远程仓库时,报错failed to push some refs to 'git@github.com:RocsSun/mytes ...
- NTP同步底层实现
RFC http://www.ietf.org/rfc/rfc5905.txt https://www.eecis.udel.edu/~mills/ntp/html/select.html https ...
- EXGSBS模板
EXBSGS模板 我之前把有一处b和c弄反了,有点困...然后调了半天 (exbsgs比excrt简单多了) 求x的最小正整数解 原式子拆成 在bsgs中,保证a,b互质,这样求出的逆元挪过去才对 但 ...
- Map的四种遍历方法
1.取值遍历 for(String key:map.keySet()){ System.out.println("key="+key+"and value=" ...
- 20130912.Windows下常用命令的使用(不断更新)
Win+R================================ cmd => 命令行 lpksetup => 弹出安装或者卸载Windows显示语言 ipconfig => ...
- sql删除注意的问题
老大骂你都是有原因的,基础要打好!!!! SQL关于删除的三个语句:DROP.TRUNCATE. DELETE 的区别. DROP test; 删除表test,并释放空间,将test表删除的一干二净 ...
- 2015 Multi-University Training Contest 8 hdu 5384 Danganronpa
Danganronpa Time Limit: 2000/1000 MS (Java/Others) Memory Limit: 131072/131072 K (Java/Others)Tot ...
- jquery在文本框之后添加红*
var addHtml="<span class='text_red'>*</span>";function req(re){ if(re.parent(& ...