[HN Gopher] Site Isolation in Firefox
___________________________________________________________________
Site Isolation in Firefox
Author : arthuredelstein
Score : 290 points
Date : 2021-05-18 16:02 UTC (6 hours ago)
(HTM) web link (blog.mozilla.org)
(TXT) w3m dump (blog.mozilla.org)
| korethr wrote:
| When Chrome was new and shiny, I used it for a time. Then, the
| first time I found myself needing to kill Chrome because it was
| completely locked up, I found myself staring at a wall of chrome
| processes in the task list, not knowing which one I needed to
| kill. At the time, I thought the idea of a separate process for
| each tab was silly. Though, with Firefox moving towards this
| model, I guess the engineers at Google were prescient in the
| correctness of that tradeoff.
|
| I do use a lot of tabs, so I fear I'm going to find myself facing
| the same problem I faced with Chrome: a site misbehaves and locks
| things up, crap, which process do I kill? A way of tracking which
| tab maps to which process would be nice, so the next time I trip
| over a badly-coded page, I don't have to kill everything just to
| get my browser to respond again. Lazyweb question to y'all: is
| there a feature in Chrome or Firefox that can do this (mapping
| tab/page -> process), or have I just stumbled upon a side-project
| idea?
| carlhjerpe wrote:
| In htop I can see and kill the process tree, I think
| processhacker2 can achieve the same on Windows.
| annyg wrote:
| sounds like page "about:processes" in Firefox would be super
| helpful in this case! you can use it to unload tabs and kill
| processes.
| gourlaysama wrote:
| On Firefox you can go to `about:processes`.
|
| It lists tabs by process, and includes the PID (on Linux; no
| idea about other platforms). You can also directly kill tabs
| and processes from there.
| dmos62 wrote:
| That's super useful on a resource strapped system. Wish I
| knew this earlier.
| kakuri wrote:
| Process Explorer (from sysinternals) lists processes as a tree
| so it's easy to find and kill the root Chrome process. At a
| glance it looks like all non-root processes have a "--type"
| parameter given to them. The root process has the simplest
| command line with only "--remote-debugging-port" being passed.
| pspdrome wrote:
| Shift+Esc brings out Chrome task manager where you can kill
| individual tabs/pages by name.
| kbelder wrote:
| Nice!
|
| I suspected gmail was the heaviest thing I regularly had
| open, but it's good to see the stats.
| ocdtrekkie wrote:
| Does this work when Chrome is locked up? Usually people go to
| Task Manager because it's unresponsive.
| hutrdvnj wrote:
| It works when 1..n of your tabs are frozen, but the UI is
| still responsive e.g. you are still able to switch to other
| tabs. If your chrome is completely frozen i.e. you can't
| even open the chrome task manager, then you usually have to
| restart the browser.
| nfoz wrote:
| > a site misbehaves and locks things up
|
| Why/how can this happen? That sounds like a bad failure of the
| browser.
| jedberg wrote:
| When a tab freezes, I just pull up activity monitor/top and
| look for the Chrome process using the most CPU.� It's almost
| always the culprit.
|
| I also like to occasionally sort by memory usage and kill the
| biggest Chrome processes. Chrome is nice in that it will show
| you when a process crashed, so what I do is kill the biggest
| memory hog, and then see what tab crashed. Then I do it again a
| few times.
|
| This at least tells me which processes use the most RAM over
| time and should be recycled (Spoiler alert, it's always GMail
| and then GCal.)
| pmontra wrote:
| I gave it a try. I opened a new tab to a random website, then
| went to about:memory
|
| Scrolling down I found a section starting with
|
| > web (pid 1036080)
|
| > Explicit Allocations
|
| > 108.27 MB (100.0%) -- explicit
|
| > +---45.04 MB (41.60%) -- window-objects/top(https://www.that-
| random.site/, id=175)
|
| I try to kill that process now, but I post this message first
| in case I kill the whole browser.
|
| Result: the tab crashed, the browser survived.
|
| > Gah. Your tab just crashed.
|
| > We can help!
|
| > Choose Restore This Tab to reload the page.
|
| Restore did work.
| podiki wrote:
| Could anyone here who has been using it report their experience
| with site isolation turned on? Do you find anything it breaks or
| makes more difficult? Has it altered your privacy/security
| practices (in terms of addons, other settings, etc.)?
| user764743 wrote:
| I've had site isolation on for more than a year. Never had any
| issues with it.
| yakubin wrote:
| This provides more technical details:
| <https://hacks.mozilla.org/2021/05/introducing-firefox-new-
| si...>, which should be more interesting to HN than a marketing
| announcement.
|
| In particular, it seems that "site" isn't precisely defined. It
| seems to be based on domains, but backed by a human-curated list
| of "sites": <https://github.com/publicsuffix/list>.
|
| So it's different than Chrome's "every webpage gets a separate
| process".
| JonathonW wrote:
| Chrome's policy is pretty much the same; while it can generate
| a process-per-tab under most conditions, the guarantee it
| actually makes (in modern versions of Chrome) is that sites
| (including different-origin iframes) are isolated into
| different processes. They use the PSL to determine which sites
| constitute a different origin, just like Firefox does.
| Dylan16807 wrote:
| I don't know if "most conditions" is even true. Even when
| it's only running a handful of processes and I have plenty of
| ram free I _cannot_ convince it to use more than one process
| for twitch tabs.
| lxgr wrote:
| I think there are some restrictions on tab "navigation
| source". (Something about a fairly obscure JavaScript
| feature that links tabs opened via click navigation, if I
| recall correctly.)
|
| Does this also happen when you type the Twitch URL in a new
| tab?
| nly wrote:
| They've been using the public suffix list for scoping cookies
| for ages. It's an important list
| SimeVidas wrote:
| "Site" is defined in the HTML Standard:
| https://html.spec.whatwg.org/multipage/origin.html#same-site
| bugmen0t wrote:
| The definition of site in this case is
| <https://html.spec.whatwg.org/multipage/origin.html#sites>, for
| both Firefox and Chrome. If you don't like reading specs, this
| blog post might be interesting to you <https://web.dev/same-
| site-same-origin/>.
| madars wrote:
| How good is Firefox sandboxing these days? Last time I looked it
| was years behind Chrome's, but site isolation is definitely a
| step in the right direction.
|
| It would be sad if one day Chromium removed Manifest v2 and there
| was no alternative.
| bastijn wrote:
| Offtopic, Mozilla blog articles like the click through more
| details one aways have the most awesome images. They almost tell
| the story without a need to read the text. Other one I remember
| is the one on webassembly [0]. Similar style images.
|
| They really allow you to scroll through the post quickly and see
| if it is interesting to read in detail.
|
| [0] https://hacks.mozilla.org/2019/08/webassembly-interface-
| type...
| jdlyga wrote:
| Does anyone remember Firesomething? The extension that randomized
| the name of Firefox to OceanMonkey, WaterHorse, FlameTiger, etc?
| Powerful extensions and much better UI are the main reasons so
| many of us switched to Firefox back in the early 2000s.
| ksml wrote:
| This is really interesting. Prior to this, Firefox's isolation
| model was much weaker than Chrome's due to only having a pool of
| 8 content processes. If I'm reading the technical blog correctly
| [1], this will move to a process-per-site model without also
| doing process-per-tab as Chrome does, i.e. if you have several
| tabs open on the same site, they'd be in the same process. This
| seems much less resource intensive than Chrome's model while
| still delivering similar security properties.
|
| [1] https://hacks.mozilla.org/2021/05/introducing-firefox-new-
| si...
| chimeracoder wrote:
| > process-per-tab as Chrome does
|
| This is a common misconception. Chrome doesn't technically do
| process-per-tab.
|
| Chrome's model can most succinctly be described as process-per-
| domain, although even then, there are rare instances where two
| tabs opened on different domains will actually share the same
| process.
| staticassertion wrote:
| It's "scheme + eTLD + 1", with a flag to set it to per
| origin.
| iggldiggl wrote:
| Any news about the memory usage overhead this brings? The
| original design goal when the work on site isolation started was
| 1 GB overhead for a browsing session with 100 separate origins
| (can't remember how many tabs that was supposed to correspond to,
| although due to iframes it was definitively less than 100 tabs).
|
| Was this goal reached in the end, or perhaps even surpassed, or
| missed after all?
|
| I guess this also makes adblockers even more valuable in terms of
| saving memory, since each blocked third party-iframe that doesn't
| load is potentially one additional process that doesn't have to
| be created...
| zamadatix wrote:
| In case anyone is wondering about the stability I've been running
| this for a couple of months now and stability has gotten pretty
| darn good. I'm excited to see it go into stable builds soon.
| virginia_a wrote:
| Thank you for this feedback. Firefox Fission team appreciates
| it. If you see any problems, please file using this template:
| https://bugzilla.mozilla.org/enter_bug.cgi?product=Core&bug_...
| .
| daxelrod wrote:
| This is fantastic work that will greatly improve the security of
| Firefox; big thanks to those who have worked on it. Is there data
| on what effect it will have on memory use?
|
| One of the primary reasons I use Firefox is that it uses
| significantly less memory than Chrome, and the entire OS seems to
| function better as a result (I've seen the most stark difference
| on macOS). I had been under the impression that most of the
| reason Chrome uses so much memory is its multiprocess model.
|
| I understand that maybe we need to give that up for better
| security, but it would be nice to know if that's indeed the
| tradeoff being made here.
| jzelinskie wrote:
| Can anyone explain the relationship to the Firefox "Electrolysis"
| initiative better than this[0]? It looks like Electrolysis was
| just making the browser kernel <> IPC layer and now Fission is
| actually divvying up the processes by origin.
|
| [0]: https://wiki.mozilla.org/Electrolysis#Thanks
| annyg wrote:
| hi, co-author of the blog post here. There is a more detailed
| blog post explaining how Site Isolation is better than the
| Electrolysis architecture here -
| https://hacks.mozilla.org/2021/05/introducing-firefox-new-si...
| (also linked to from the security blog post). Hope this is
| helpful!
| jzelinskie wrote:
| Thanks for this link. Not sure how I missed it when it's the
| very last word, haha.
|
| I'm not sure what gave me the impression but, in my mind
| "process-per-tab" and "Electrolysis" were linked, but that
| was a misconception:
|
| >In great detail, (as of April 2021) Firefox's parent process
| launches a fixed number of processes: eight web content
| processes, up to two additional semi-privileged web content
| processes, and four utility processes for web extensions, GPU
| operations, networking, and media decoding.
|
| >While separating content into currently eight web content
| processes already provides a solid foundation, it does not
| meet the security standards of Mozilla because it allows two
| completely different sites to end up in the same operating
| system process and, therefore, share process memory. To
| counter this, we are targeting a Site Isolation architecture
| that loads every single site into its own process.
| cpeterso wrote:
| > I'm not sure what gave me the impression but, in my mind
| "process-per-tab" and "Electrolysis" were linked, but that
| was a misconception:
|
| Your impression was mostly correct. Electrolysis is
| basically process-per-tab until you reach eight tabs, but
| after that, tabs start sharing those eight content
| processes.
| cpeterso wrote:
| Correction to my earlier statement: the initial version
| of Electrolysis had just one content process (that could
| be sandboxed apart from the browser parent process), but
| was soon followed up with "e10s-multi" with multiple
| content processes.
| pseudalopex wrote:
| > I'm not sure what gave me the impression but, in my mind
| "process-per-tab" and "Electrolysis" were linked
|
| This always was a long term goal I think. It's per site not
| per tab though.
| gostsamo wrote:
| Hi, I'm a blind user and I'm just dropping to say a big thank
| you for the excellent alt text to the diagrams in the hacks
| post.
|
| Thanks for the browser work as well!
| arkitaip wrote:
| Thank YOU for writing comments like these - it encourages
| us web devs to work harder on accessibility.
| [deleted]
| yorwba wrote:
| I enjoyed the illustrations, but you should try looking at
| your article in Firefox for Android: all pictures overflow to
| the right and it's not even possible to scroll horizontally
| to see the rest.
| ______- wrote:
| @dang please delete this comment
| esclerofilo wrote:
| This is about isolation in OS processes, not browser
| containers.
| oblio wrote:
| Software is hard. Chrome had this in 2008. Firefox had to be
| rearchitected 14 years for this.
| tristan957 wrote:
| This is factually untrue. Site isolation wasn't enabled by
| default in Chromium until v67 in 2018.
|
| https://www.chromium.org/Home/chromium-security/site-isolati...
| oblio wrote:
| https://www.google.com/googlebooks/chrome/big_04.html
|
| http://www.scottmccloud.com/googlechrome/
|
| In early-mid 2008, I created a comic book for Google
| explaining the inner workings of their new open source
| browser Google Chrome.
|
| If I'm mixing this up with
| https://wiki.mozilla.org/Electrolysis, that's still 10 years.
| tristan957 wrote:
| Chrome was a new project, and didn't have to deal with the
| legacy of being built on top of the same source code as
| Netscape Navigator. I do not understand why you are trying
| to make this out to bash Firefox like they aren't as
| competent by taking ~10 years to implement multi-process
| browsing after Chrome. Legacy software and patterns are
| truly painstaking processes to iterate on.
|
| But yes Electrolysis is the initiative that you should have
| referred to in the original comment.
| oblio wrote:
| > Software is hard. Chrome had this in 2008. Firefox had
| to be rearchitected 14 years for this.
|
| How is this bashing? :-)
|
| It literally starts with "Software is hard."
|
| ...
| staticassertion wrote:
| Chrome didn't have this until 2018, as the parent link
| shows. This is not about multi-process architecture.
| Firefox is < 3 years behind, not 10, not 14.
| oblio wrote:
| I was wrong about the actual security policy, but multi-
| process is still a big security win.
|
| And not so related to this, but from what I've heard
| about cracking competitions a few while ago, Firefox was
| not even included, it was considered too easy. Maybe my
| sources were just bad.
|
| And I say this as a Firefox user for the last decade or
| more.
| nfoz wrote:
| Browsers are too big and the web is too complex. Engineering
| failures all around.
|
| As engineers, we should not accept this status quo; we should
| replace it. We need a new web and new software.
| MaxBarraclough wrote:
| See Gemini and Gopher.
|
| https://news.ycombinator.com/item?id=23042424
| pmontra wrote:
| Gopher is from 1991. I've been using it back then but HTTP
| won quite easily.
| approxim8ion wrote:
| Gopher is the opposite of new. Gemini is interesting for
| sure, but it's not an alternative to the web as they fully
| admit. It's an alternative to a subset of the web. Let's
| call it the document web. Blogs and articles and so on. But
| as entertaining as it is, it is a very very small subset.
| sfink wrote:
| That's the point. If you want the web, you need today's
| browsers. If you want a subset of the web, your "document
| web" for example, you can get away with something
| simpler.
| MaxBarraclough wrote:
| Respectfully, you're failing to engage with the purpose
| of the project.
|
| > it's not an alternative to the web
|
| Right. You can't have a lightweight drop-in alternative
| to the web, pretty much by definition. Any platform
| capable of everything modern browsers are capable of, is
| by definition enormously complex.
|
| > it is a very very small subset
|
| That's not a flaw, it's a design goal. It isn't meant to
| be a half-baked portable GUI toolkit the way the modern
| web platform is, it's meant to be a simple and minimal
| format, stable and easy to implement. There are other
| formats somewhat like this in common usage, like man
| pages and, of course markdown.
| lumost wrote:
| FireFox appears to be accelerating their feature velocity post
| Mozilla resizing. Curious what changes they made internally to
| refocus development.
| jedberg wrote:
| Has anyone tried this along with Container Tabs? Do they play
| nicely? Does it offer any advantage over Container Tabs?
| db48x wrote:
| Container Tabs are completely orthogonal. A site loaded in a
| tab which is contained in this way cannot access your global
| cookie jar, for example. If you visit a site with a Facebook
| Like button on it, then Facebook will not receive the same
| cookie from you that it would have received if you had loaded
| the site in a non-contained tab. This is true whether or not
| the site has been given it's own process to live in. The
| converse is also still true; non-contained sites still have
| access to your global cookie jar even if they're isolated in
| their own process.
|
| Putting sites in their own process mitigates against Spectre-
| like attacks, but it doesn't do anything for higher-level
| problems like third-party cookies.
| rcMgD2BwE72F wrote:
| Any idea?
|
| I'd love to drop https://addons.mozilla.org/en-
| US/firefox/addon/temporary-con..., which automatically assigns
| a temporary container to any new tab, which plays nicely with
| the https://addons.mozilla.org/en-US/firefox/addon/multi-
| account... but uses too much memory (at least from my
| experience).
| OrvalWintermute wrote:
| I think they are complementary, since one is about browser
| site isolation, and one is about process isolation on the
| computer.
|
| Using temporary containers, multi-account containers, site
| isolation, along with a number of other privacy/security
| addons such as Umatrix, LocalCDN, and many others, I have not
| noticed any slowdown.
|
| This on an older broadwell i7 with 32GB of ram.
| jedberg wrote:
| So far it seems to work fine for me too. Can you share you
| list of security/privacy addons? I've used Umatrix but
| never heard of LocalCDN. Was wondering what other gems you
| may have found.
| jedberg wrote:
| I use the same add-ons. I just enabled site isolation. I'll
| let you know how it goes.
| fragileone wrote:
| Enable Strict Enhanced Tracking Protection setting, this
| turns on Dynamic First Party Isolation which is the native
| version of what Temporary Containers is aiming to do.
___________________________________________________________________
(page generated 2021-05-18 23:00 UTC)