[HN Gopher] Site Isolation in Firefox ___________________________________________________________________ Site Isolation in Firefox Author : arthuredelstein Score : 290 points Date : 2021-05-18 16:02 UTC (6 hours ago) (HTM) web link (blog.mozilla.org) (TXT) w3m dump (blog.mozilla.org) | korethr wrote: | When Chrome was new and shiny, I used it for a time. Then, the | first time I found myself needing to kill Chrome because it was | completely locked up, I found myself staring at a wall of chrome | processes in the task list, not knowing which one I needed to | kill. At the time, I thought the idea of a separate process for | each tab was silly. Though, with Firefox moving towards this | model, I guess the engineers at Google were prescient in the | correctness of that tradeoff. | | I do use a lot of tabs, so I fear I'm going to find myself facing | the same problem I faced with Chrome: a site misbehaves and locks | things up, crap, which process do I kill? A way of tracking which | tab maps to which process would be nice, so the next time I trip | over a badly-coded page, I don't have to kill everything just to | get my browser to respond again. Lazyweb question to y'all: is | there a feature in Chrome or Firefox that can do this (mapping | tab/page -> process), or have I just stumbled upon a side-project | idea? | carlhjerpe wrote: | In htop I can see and kill the process tree, I think | processhacker2 can achieve the same on Windows. | annyg wrote: | sounds like page "about:processes" in Firefox would be super | helpful in this case! you can use it to unload tabs and kill | processes. | gourlaysama wrote: | On Firefox you can go to `about:processes`. | | It lists tabs by process, and includes the PID (on Linux; no | idea about other platforms). You can also directly kill tabs | and processes from there. | dmos62 wrote: | That's super useful on a resource strapped system. Wish I | knew this earlier. | kakuri wrote: | Process Explorer (from sysinternals) lists processes as a tree | so it's easy to find and kill the root Chrome process. At a | glance it looks like all non-root processes have a "--type" | parameter given to them. The root process has the simplest | command line with only "--remote-debugging-port" being passed. | pspdrome wrote: | Shift+Esc brings out Chrome task manager where you can kill | individual tabs/pages by name. | kbelder wrote: | Nice! | | I suspected gmail was the heaviest thing I regularly had | open, but it's good to see the stats. | ocdtrekkie wrote: | Does this work when Chrome is locked up? Usually people go to | Task Manager because it's unresponsive. | hutrdvnj wrote: | It works when 1..n of your tabs are frozen, but the UI is | still responsive e.g. you are still able to switch to other | tabs. If your chrome is completely frozen i.e. you can't | even open the chrome task manager, then you usually have to | restart the browser. | nfoz wrote: | > a site misbehaves and locks things up | | Why/how can this happen? That sounds like a bad failure of the | browser. | jedberg wrote: | When a tab freezes, I just pull up activity monitor/top and | look for the Chrome process using the most CPU. It's almost | always the culprit. | | I also like to occasionally sort by memory usage and kill the | biggest Chrome processes. Chrome is nice in that it will show | you when a process crashed, so what I do is kill the biggest | memory hog, and then see what tab crashed. Then I do it again a | few times. | | This at least tells me which processes use the most RAM over | time and should be recycled (Spoiler alert, it's always GMail | and then GCal.) | pmontra wrote: | I gave it a try. I opened a new tab to a random website, then | went to about:memory | | Scrolling down I found a section starting with | | > web (pid 1036080) | | > Explicit Allocations | | > 108.27 MB (100.0%) -- explicit | | > +---45.04 MB (41.60%) -- window-objects/top(https://www.that- | random.site/, id=175) | | I try to kill that process now, but I post this message first | in case I kill the whole browser. | | Result: the tab crashed, the browser survived. | | > Gah. Your tab just crashed. | | > We can help! | | > Choose Restore This Tab to reload the page. | | Restore did work. | podiki wrote: | Could anyone here who has been using it report their experience | with site isolation turned on? Do you find anything it breaks or | makes more difficult? Has it altered your privacy/security | practices (in terms of addons, other settings, etc.)? | user764743 wrote: | I've had site isolation on for more than a year. Never had any | issues with it. | yakubin wrote: | This provides more technical details: | <https://hacks.mozilla.org/2021/05/introducing-firefox-new- | si...>, which should be more interesting to HN than a marketing | announcement. | | In particular, it seems that "site" isn't precisely defined. It | seems to be based on domains, but backed by a human-curated list | of "sites": <https://github.com/publicsuffix/list>. | | So it's different than Chrome's "every webpage gets a separate | process". | JonathonW wrote: | Chrome's policy is pretty much the same; while it can generate | a process-per-tab under most conditions, the guarantee it | actually makes (in modern versions of Chrome) is that sites | (including different-origin iframes) are isolated into | different processes. They use the PSL to determine which sites | constitute a different origin, just like Firefox does. | Dylan16807 wrote: | I don't know if "most conditions" is even true. Even when | it's only running a handful of processes and I have plenty of | ram free I _cannot_ convince it to use more than one process | for twitch tabs. | lxgr wrote: | I think there are some restrictions on tab "navigation | source". (Something about a fairly obscure JavaScript | feature that links tabs opened via click navigation, if I | recall correctly.) | | Does this also happen when you type the Twitch URL in a new | tab? | nly wrote: | They've been using the public suffix list for scoping cookies | for ages. It's an important list | SimeVidas wrote: | "Site" is defined in the HTML Standard: | https://html.spec.whatwg.org/multipage/origin.html#same-site | bugmen0t wrote: | The definition of site in this case is | <https://html.spec.whatwg.org/multipage/origin.html#sites>, for | both Firefox and Chrome. If you don't like reading specs, this | blog post might be interesting to you <https://web.dev/same- | site-same-origin/>. | madars wrote: | How good is Firefox sandboxing these days? Last time I looked it | was years behind Chrome's, but site isolation is definitely a | step in the right direction. | | It would be sad if one day Chromium removed Manifest v2 and there | was no alternative. | bastijn wrote: | Offtopic, Mozilla blog articles like the click through more | details one aways have the most awesome images. They almost tell | the story without a need to read the text. Other one I remember | is the one on webassembly [0]. Similar style images. | | They really allow you to scroll through the post quickly and see | if it is interesting to read in detail. | | [0] https://hacks.mozilla.org/2019/08/webassembly-interface- | type... | jdlyga wrote: | Does anyone remember Firesomething? The extension that randomized | the name of Firefox to OceanMonkey, WaterHorse, FlameTiger, etc? | Powerful extensions and much better UI are the main reasons so | many of us switched to Firefox back in the early 2000s. | ksml wrote: | This is really interesting. Prior to this, Firefox's isolation | model was much weaker than Chrome's due to only having a pool of | 8 content processes. If I'm reading the technical blog correctly | [1], this will move to a process-per-site model without also | doing process-per-tab as Chrome does, i.e. if you have several | tabs open on the same site, they'd be in the same process. This | seems much less resource intensive than Chrome's model while | still delivering similar security properties. | | [1] https://hacks.mozilla.org/2021/05/introducing-firefox-new- | si... | chimeracoder wrote: | > process-per-tab as Chrome does | | This is a common misconception. Chrome doesn't technically do | process-per-tab. | | Chrome's model can most succinctly be described as process-per- | domain, although even then, there are rare instances where two | tabs opened on different domains will actually share the same | process. | staticassertion wrote: | It's "scheme + eTLD + 1", with a flag to set it to per | origin. | iggldiggl wrote: | Any news about the memory usage overhead this brings? The | original design goal when the work on site isolation started was | 1 GB overhead for a browsing session with 100 separate origins | (can't remember how many tabs that was supposed to correspond to, | although due to iframes it was definitively less than 100 tabs). | | Was this goal reached in the end, or perhaps even surpassed, or | missed after all? | | I guess this also makes adblockers even more valuable in terms of | saving memory, since each blocked third party-iframe that doesn't | load is potentially one additional process that doesn't have to | be created... | zamadatix wrote: | In case anyone is wondering about the stability I've been running | this for a couple of months now and stability has gotten pretty | darn good. I'm excited to see it go into stable builds soon. | virginia_a wrote: | Thank you for this feedback. Firefox Fission team appreciates | it. If you see any problems, please file using this template: | https://bugzilla.mozilla.org/enter_bug.cgi?product=Core&bug_... | . | daxelrod wrote: | This is fantastic work that will greatly improve the security of | Firefox; big thanks to those who have worked on it. Is there data | on what effect it will have on memory use? | | One of the primary reasons I use Firefox is that it uses | significantly less memory than Chrome, and the entire OS seems to | function better as a result (I've seen the most stark difference | on macOS). I had been under the impression that most of the | reason Chrome uses so much memory is its multiprocess model. | | I understand that maybe we need to give that up for better | security, but it would be nice to know if that's indeed the | tradeoff being made here. | jzelinskie wrote: | Can anyone explain the relationship to the Firefox "Electrolysis" | initiative better than this[0]? It looks like Electrolysis was | just making the browser kernel <> IPC layer and now Fission is | actually divvying up the processes by origin. | | [0]: https://wiki.mozilla.org/Electrolysis#Thanks | annyg wrote: | hi, co-author of the blog post here. There is a more detailed | blog post explaining how Site Isolation is better than the | Electrolysis architecture here - | https://hacks.mozilla.org/2021/05/introducing-firefox-new-si... | (also linked to from the security blog post). Hope this is | helpful! | jzelinskie wrote: | Thanks for this link. Not sure how I missed it when it's the | very last word, haha. | | I'm not sure what gave me the impression but, in my mind | "process-per-tab" and "Electrolysis" were linked, but that | was a misconception: | | >In great detail, (as of April 2021) Firefox's parent process | launches a fixed number of processes: eight web content | processes, up to two additional semi-privileged web content | processes, and four utility processes for web extensions, GPU | operations, networking, and media decoding. | | >While separating content into currently eight web content | processes already provides a solid foundation, it does not | meet the security standards of Mozilla because it allows two | completely different sites to end up in the same operating | system process and, therefore, share process memory. To | counter this, we are targeting a Site Isolation architecture | that loads every single site into its own process. | cpeterso wrote: | > I'm not sure what gave me the impression but, in my mind | "process-per-tab" and "Electrolysis" were linked, but that | was a misconception: | | Your impression was mostly correct. Electrolysis is | basically process-per-tab until you reach eight tabs, but | after that, tabs start sharing those eight content | processes. | cpeterso wrote: | Correction to my earlier statement: the initial version | of Electrolysis had just one content process (that could | be sandboxed apart from the browser parent process), but | was soon followed up with "e10s-multi" with multiple | content processes. | pseudalopex wrote: | > I'm not sure what gave me the impression but, in my mind | "process-per-tab" and "Electrolysis" were linked | | This always was a long term goal I think. It's per site not | per tab though. | gostsamo wrote: | Hi, I'm a blind user and I'm just dropping to say a big thank | you for the excellent alt text to the diagrams in the hacks | post. | | Thanks for the browser work as well! | arkitaip wrote: | Thank YOU for writing comments like these - it encourages | us web devs to work harder on accessibility. | [deleted] | yorwba wrote: | I enjoyed the illustrations, but you should try looking at | your article in Firefox for Android: all pictures overflow to | the right and it's not even possible to scroll horizontally | to see the rest. | ______- wrote: | @dang please delete this comment | esclerofilo wrote: | This is about isolation in OS processes, not browser | containers. | oblio wrote: | Software is hard. Chrome had this in 2008. Firefox had to be | rearchitected 14 years for this. | tristan957 wrote: | This is factually untrue. Site isolation wasn't enabled by | default in Chromium until v67 in 2018. | | https://www.chromium.org/Home/chromium-security/site-isolati... | oblio wrote: | https://www.google.com/googlebooks/chrome/big_04.html | | http://www.scottmccloud.com/googlechrome/ | | In early-mid 2008, I created a comic book for Google | explaining the inner workings of their new open source | browser Google Chrome. | | If I'm mixing this up with | https://wiki.mozilla.org/Electrolysis, that's still 10 years. | tristan957 wrote: | Chrome was a new project, and didn't have to deal with the | legacy of being built on top of the same source code as | Netscape Navigator. I do not understand why you are trying | to make this out to bash Firefox like they aren't as | competent by taking ~10 years to implement multi-process | browsing after Chrome. Legacy software and patterns are | truly painstaking processes to iterate on. | | But yes Electrolysis is the initiative that you should have | referred to in the original comment. | oblio wrote: | > Software is hard. Chrome had this in 2008. Firefox had | to be rearchitected 14 years for this. | | How is this bashing? :-) | | It literally starts with "Software is hard." | | ... | staticassertion wrote: | Chrome didn't have this until 2018, as the parent link | shows. This is not about multi-process architecture. | Firefox is < 3 years behind, not 10, not 14. | oblio wrote: | I was wrong about the actual security policy, but multi- | process is still a big security win. | | And not so related to this, but from what I've heard | about cracking competitions a few while ago, Firefox was | not even included, it was considered too easy. Maybe my | sources were just bad. | | And I say this as a Firefox user for the last decade or | more. | nfoz wrote: | Browsers are too big and the web is too complex. Engineering | failures all around. | | As engineers, we should not accept this status quo; we should | replace it. We need a new web and new software. | MaxBarraclough wrote: | See Gemini and Gopher. | | https://news.ycombinator.com/item?id=23042424 | pmontra wrote: | Gopher is from 1991. I've been using it back then but HTTP | won quite easily. | approxim8ion wrote: | Gopher is the opposite of new. Gemini is interesting for | sure, but it's not an alternative to the web as they fully | admit. It's an alternative to a subset of the web. Let's | call it the document web. Blogs and articles and so on. But | as entertaining as it is, it is a very very small subset. | sfink wrote: | That's the point. If you want the web, you need today's | browsers. If you want a subset of the web, your "document | web" for example, you can get away with something | simpler. | MaxBarraclough wrote: | Respectfully, you're failing to engage with the purpose | of the project. | | > it's not an alternative to the web | | Right. You can't have a lightweight drop-in alternative | to the web, pretty much by definition. Any platform | capable of everything modern browsers are capable of, is | by definition enormously complex. | | > it is a very very small subset | | That's not a flaw, it's a design goal. It isn't meant to | be a half-baked portable GUI toolkit the way the modern | web platform is, it's meant to be a simple and minimal | format, stable and easy to implement. There are other | formats somewhat like this in common usage, like man | pages and, of course markdown. | lumost wrote: | FireFox appears to be accelerating their feature velocity post | Mozilla resizing. Curious what changes they made internally to | refocus development. | jedberg wrote: | Has anyone tried this along with Container Tabs? Do they play | nicely? Does it offer any advantage over Container Tabs? | db48x wrote: | Container Tabs are completely orthogonal. A site loaded in a | tab which is contained in this way cannot access your global | cookie jar, for example. If you visit a site with a Facebook | Like button on it, then Facebook will not receive the same | cookie from you that it would have received if you had loaded | the site in a non-contained tab. This is true whether or not | the site has been given it's own process to live in. The | converse is also still true; non-contained sites still have | access to your global cookie jar even if they're isolated in | their own process. | | Putting sites in their own process mitigates against Spectre- | like attacks, but it doesn't do anything for higher-level | problems like third-party cookies. | rcMgD2BwE72F wrote: | Any idea? | | I'd love to drop https://addons.mozilla.org/en- | US/firefox/addon/temporary-con..., which automatically assigns | a temporary container to any new tab, which plays nicely with | the https://addons.mozilla.org/en-US/firefox/addon/multi- | account... but uses too much memory (at least from my | experience). | OrvalWintermute wrote: | I think they are complementary, since one is about browser | site isolation, and one is about process isolation on the | computer. | | Using temporary containers, multi-account containers, site | isolation, along with a number of other privacy/security | addons such as Umatrix, LocalCDN, and many others, I have not | noticed any slowdown. | | This on an older broadwell i7 with 32GB of ram. | jedberg wrote: | So far it seems to work fine for me too. Can you share you | list of security/privacy addons? I've used Umatrix but | never heard of LocalCDN. Was wondering what other gems you | may have found. | jedberg wrote: | I use the same add-ons. I just enabled site isolation. I'll | let you know how it goes. | fragileone wrote: | Enable Strict Enhanced Tracking Protection setting, this | turns on Dynamic First Party Isolation which is the native | version of what Temporary Containers is aiming to do. ___________________________________________________________________ (page generated 2021-05-18 23:00 UTC)