ladybird icon indicating copy to clipboard operation
ladybird copied to clipboard
Published 3 weeks ago verified publisher icon LadybirdBrowser

Site isolation

Open awesomekling opened this issue 1 year ago • 4 comments

We should implement site isolation, where each site (scheme + domain + port) gets its own WebContent process, and code from each origin only runs in that process.

When one site embeds an iframe from another site, we'll have two WebContent processes who will have to coordinate communication, layout, rendering, input, etc.

Here's how they've done it in Chromium: https://www.chromium.org/Home/chromium-security/site-isolation/

awesomekling avatar Jun 28 '24 12:06 awesomekling

A related issue is site sandboxing, which is ensuring that a compromised renderer process cannot access or tamper with data for origins it isn’t responsible for.

That’s arguably a separate issue (for which this one is a prerequisite), but I’m mentioning it here because site isolation without site sandboxing only protects against information leaks, not code execution.

DemiMarie avatar Oct 27 '24 00:10 DemiMarie

#3882 implements "simple" site isolation for "sites" (TLD + one level, as in the chromium description). Nice! Since this is done in Navigable::navigate, it should also apply to iframes?

Would be good to know whether this issue is still considered open, incl. remaining scope.

  • #3882 only mentions one limitation: redirects.
  • #3958 seems like a regression issue

manuel-za avatar Mar 23 '25 13:03 manuel-za

Since this is done in Navigable::navigate, it should also apply to iframes?

nope, because currently all iframes live within one webcontent process.

kalenikaliaksandr avatar Mar 23 '25 15:03 kalenikaliaksandr

Would be good to know whether this issue is still considered open, incl. remaining scope.

From a security perspective, yes. Full site isolation requires that all cross-origin iframes be in separate processes.

DemiMarie avatar Mar 25 '25 04:03 DemiMarie