New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 679011 link

Starred by 5 users
Status: Fixed
Owner:
lukasza@chromium.org
Closed: May 2017
Cc:
a...@chromium.org
nick@chromium.org
creis@chromium.org
nasko@chromium.org
wfh@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 2
Type: Bug



Sign in to add a comment

TDI creates subframe process for same-site (or even same-origin) iframes in hosted apps

Project Member Reported by creis@chromium.org, Jan 6 2017 
Chrome Version: 57.0.2973.0
OS: Win10

What steps will reproduce the problem?
(1) Make sure the Google Docs hosted app (aohghmighlieiainnegkcijnfilokake) is installed.
(2) Start Chrome with --top-document-isolation.
(3) Visit https://docs.google.com and sign in.
(4) Open Chrome's Task Manager.

What is the expected result?
There should be no subframe process, since https://docs.google.com only has same-site iframes (e.g., https://clients4.google.com, https://accounts.google.com).

What happens instead?
There's a "Subframes for: Google Docs" process in the Task Manager.

This is likely because Chrome considers the subframes outside the hosted app, and thus creates a TDI process for them.  I don't see any functionality problems (since they're cross origin anyway), but we should avoid creating the extra process in this case.  It may also be a functional bug for same-origin iframes that are outside the hosted app's extent.

Comment 1 by lukasza@chromium.org, Apr 20 2017 

I am guessing that this particular bug can be fixed by tweaking ChromeContentBrowserClient::ShouldFrameShareParentSiteInstanceDespiteTopDocumentIsolation that was introduced when fixing a similar bug ( issue 665109 ) in r432951.

Comment 2 by lukasza@chromium.org, Apr 25 2017 

We discussed the following scenario:
- MF: Main frame: Docs hosted app (document.origin = "https://docs.google.com", effective URI is a chrome-extension URI)
- SF1: Subframe from client5.google.com origin
- SF2: Hypothetical subframe from another.site.com origin

Putting SF1 in the same process as MF is needed to fix the current bug.  Putting SF2 in the same process as MF is optional (creis@ suggested this shortcut and nick@ is okay with it).  Leaving placement of SF2 undefined means that we can fix this bug by simply disabling TDI if the parent SiteInstance belongs to a hosted app.  This way we avoid having to compare real URL of the parent (or web extent patterns of the parent) with the site of the subframe (which is doable and not that difficult, but definitely adds non-trivial amount of code and maintenance burden going forward).

Comment 3 by lukasza@chromium.org, Apr 25 2017 

To reinforce #c2, nick@ helped with a small experiment and it seems that --isolate-extensions (in absence of TDI) doesn't kick out a cross-site subframe out of a hosted app's renderer process (*).  This experiment shows that (at least today) the decision whether to kick a cross-site frame into a separate process from a hosted app is purely a TDI decision (and not an --isolate-extensions decision).

(*) The scenario we looked at was
1) launching docs app,
2) verifying that a tab shows https://docs.google.com in omnibox while having access to chrome.app APIs,
3) using DevTools to add a cross-site iframe (https://anforowicz.github.io/frame-creation-order/index.htm),
4) looking at the task manager to see that the new iframe didn't get kicked out to a separate renderer process).

Comment 4 by lukasza@chromium.org, Apr 28 2017 

I've verified that this bug also represents a functionality problem that creis@ alluded to in the original comment.  I am not sure how often this is a problem in practice, but in a test I see that http://app.site.com/save_page/a.htm trying to script http://app.site.com/frame_tree/simple.htm (when only the latter one is covered by the hosted app's web extent) gives a hilarious error message: Uncaught SecurityError: Blocked a frame with origin "http://app.site.com:35938" from accessing a frame with origin "http://app.site.com:35938". Protocols, domains, and ports must match.

Comment 5 by lukasza@chromium.org, Apr 28 2017

Owner: lukasza@chromium.org
Status: Started (was: Available)
Summary: TDI and --site-per-process creates subframe process for same-site iframes in hosted apps (was: TDI creates subframe process for same-site iframes in hosted apps)
This bug is not limited to --top-document-isolation - it also affects other isolation modes (e.g. #c4 repros with --site-per-process).

Comment 6 by lukasza@chromium.org, Apr 28 2017 

BTW: To repro the issue in #c4 and #c5 we don't really need a hosted app extent that covers *path*.  The same issue will repro for app.site.com (covered by hosted app's extent) and other.site.com (not covered) if they both use window.domain.

I am mentioning this for completeness.  I don't want to comment for now how common is such usage of window.domain and/or hosted apps.

Comment 7 by lukasza@chromium.org, Apr 28 2017 

If we wanted to host app.site.com and other.site.com in the same process even with --site-per-process, then I *think* we need to:

1. Stop treating PRIV_HOSTED as separate from PRIV_NORMAL for purpose of calculating IsSuitableHost.

2. Get RenderFrameHostManager::IsCurrentlySameSite to return true when |candidate->GetSiteInstance()| hosts the hosted app and |dest_url| is a same-site webpage outside of the hosted app's extent.  This is tricky, because the very first thing that SiteInstance::IsSameWebSite does is ask the //chrome layer for GetEffectiveURL.  I've tried removing GetEffectiveURL from extensions layer (i.e. from ChromeContentBrowserClientExtensionsPart) in https://codereview.chromium.org/2851763003 (note dependency on the other CL) but so far this hsa resulted in quite a few broken browser tests...

(*)
--- a/chrome/browser/extensions/chrome_content_browser_client_extensions_part.cc
+++ b/chrome/browser/extensions/chrome_content_browser_client_extensions_part.cc
@@ -88,7 +88,6 @@ namespace {
 // sure URLs are served by hosts with the right set of privileges.
 enum RenderProcessHostPrivilege {
   PRIV_NORMAL,
-  PRIV_HOSTED,
   PRIV_ISOLATED,
   PRIV_EXTENSION,
 };
@@ -147,7 +146,7 @@ RenderProcessHostPrivilege GetPrivilegeRequiredByUrl(
   if (extension && AppIsolationInfo::HasIsolatedStorage(extension))
     return PRIV_ISOLATED;
   if (extension && extension->is_hosted_app())
-    return PRIV_HOSTED;
+    return PRIV_NORMAL;
   return PRIV_EXTENSION;
 }
 
@@ -166,7 +165,7 @@ RenderProcessHostPrivilege GetProcessPrivilege(
     if (extension && AppIsolationInfo::HasIsolatedStorage(extension))
       return PRIV_ISOLATED;
     if (extension && extension->is_hosted_app())
-      return PRIV_HOSTED;
+      return PRIV_NORMAL;
   }
 
   return PRIV_EXTENSION;

Comment 8 by lukasza@chromium.org, May 4 2017

Summary: TDI creates subframe process for same-site (or even same-origin) iframes in hosted apps (was: TDI and --site-per-process creates subframe process for same-site iframes in hosted apps)
Let's make this bug again focused only on --top-document-isolation and the follow-up for --site-per-process and other isolation modes can be tracked in issue 718516.

Comment 10 by lukasza@chromium.org, May 5 2017

Status: Fixed (was: Started)
I think it is okay to mark this bug as fixed and follow-up on the remaining issues in issue 718516.

Sign in to add a comment