Allow groups of sites that can share a process when over limit |
||||
Issue descriptionWith Site Isolation and the --isolate-origins=https://foo.com flag, it's possible to define a list of origins and sites that each require dedicated processes. As the list of sites grows, it may lead to the creation of too many processes. Chrome currently has a process limit, after which web sites are allowed to share processes with each other. There's some ad hoc logic for extensions in ChromeContentBrowserClientExtensionsPart::IsSuitableHost which says all extensions are allowed to share with each other but not web sites. (There's a similar bucket for hosted apps.) If we can generalize this, it might be a useful way to protect a larger set of sites from the general web without as much impact on the process count. For example, enterprises might define a list of corporate sites which might start sharing processes with each other when the user is over the process limit, but which should never share a process with external sites. We could even allow some of this sharing proactively to help the user stay under the limit, such as the current code that limits extensions to at most 1/3 of the full process limit. It would be good to provide this as an abstraction within content/ to remove some of the custom code in the extensions layer (e.g., the RenderProcessHostPrivilege enum), perhaps as a set of URL pattern sets. The members of the set might be assumed to be isolated origins. Some challenges include: 1) Reconciling LockToOrigin vs RequiresDedicatedProcess. (Today, that's the difference between isolated origins and extensions, and whether we can enforce site-specific checks on a process.) 2) Making as specific enforcements as possible (e.g., only allowing access to data for the origins known to be in the process, not all origins in the group). 3) Handling extension corner cases, like hosted apps. Most chrome-extension:// URLs could be assumed to be isolated origins that share a group with all chrome-extension://* URLs, but we somehow want to exclude hosted apps from that category.
,
Sep 1 2017
,
Sep 12 2017
Some additional thoughts about the extension case. There's strong incentives to have a content module feature for defining a group of sites, replacing the current ad hoc logic around extension bucketing. We'll be able to remove the custom code mentioned above, and it will be easier for ChildProcessSecurityPolicy (or other features) to do checks within content for whether a given process can access extension data. (Today, they'd have to call out to the embedder for those checks, but content may be able to tell on its own with a list of isolated origin groups.) As noted above, hosted apps are tricky because they shouldn't share with extensions or platform apps, but they can't be distinguished by URL alone. (All 3 types of URLs start with chrome-extension://, and the manifest indicates which type it is.) Perhaps the extension logic can explicitly register enabled extensions/apps/hosted app origins into respective groups. Any disabled or uninstalled extensions wouldn't be treated as special at all. (Hopefully we'd find a way to deny access to their data entirely?) This would push more data within the content module, letting it more easily manage process sharing and jail/citadel style enforcement checks without having to call out to the embedder every time.
,
Sep 15 2017
Untriaged w/ owner -> Assigned
,
Sep 15 2017
(triage: untriaged w/ owner -> assigned)
,
Oct 14 2017
There's some discussion of the current logic for extension process sharing in issue 774729 . The TODO in ChromeContentBrowserClientExtensionsPart::ShouldLockToOrigin behaves a bit unexpectedly, and disables extension process sharing in --site-per-process. This grouping mechanism should help fix the TODO and make it easier to understand DoesSiteRequireDedicatedProcess vs ShouldLockToOrigin. |
||||
►
Sign in to add a comment |
||||
Comment 1 by creis@chromium.org
, Aug 30 2017Components: Enterprise