undefined | Better HN

0 pointseptcyka1y ago0 comments

Other browsers do site isolation, why can’t Safari? (:

0 comments

lxgr1y ago

Safari definitely does use site isolation (if you check "Activity Monitor", you'll find Safari processes named after the sites they're displaying) in almost all cases.

window.open, in some constellations, is an exception, because the opening and opened sites have an explicit communication facility available to them, unless at least one of the two explicitly opts out of it. As far as I'm aware, Safari also correctly implements that opt-out.

The only thing that Chrome and Firefox seem to be doing on top of that, as far as I understand, is to actually enforce process-per-site even for sites from the same "browsing context group" (i.e. all that can hold programmatic references to each other, e.g. via window.opener), which requires using IPC.

danans1y ago

> Safari definitely does use site isolation (if you check "Activity Monitor", you'll find Safari processes named after the sites they're displaying) in almost all cases.

From the FAQ:

"For leaking secrets, both SLAP and FLOP are confined to the address space they are trained in. As pointed out by iLeakage, Safari lacks Site Isolation, a measure used to enforce that two different webpages not from the same domain can never be handled by the same process. Thus, in Safari it is possible for an adversary's webpage to be handled by the same process (and thus address space) with an arbitrary webpage, increasing the attack surface including LAP- and LVP-based exploits.

On the other hand, although Chrome is equipped with Site Isolation, we demonstrate that it is not a perfect mitigation. We show the real-world existence of corner cases, where two subdomains of the same site can be merged into one process, again leading to LAP- and LVP-based attacks."

lxgr1y ago

Yes, in some special cases, which both embedded/opened and embedding/opening websites can avoid by setting the appropriate HTTP headers/HTML attributes.

Of course it would be better if Safari would do the same thing as Chrome and Firefox and just provide a separate process for all contexts, including those that can communicate per specifications. But there's something sites can do today to avoid this potential information leak.

1 more reply

zamalek1y ago

Right, in what sane world would the website determine operating system process semantics? What next, syscalls?

astrange1y ago

Have you noticed how often people complain Chrome uses too much memory?

lxgr1y ago

Process-per-site isolation doesn't necessarily have to use (much) more memory.

If you pre-initialize the renderer and JavaScript engine and then fork that pre-warmed instance for each site, every page of memory not written to remains shared in physical memory.

Properly accounting for that in task managers is hard, though; on many OSes, Chrome's memory usage looks much scarier than it is in reality.

astrange1y ago

You can't fork a GUI process on Apple OSes, most of the system can't handle it.

It'd also weaken any security protection based on randomness (eg ASLR slide, pointer encryption keys).

1 more reply

bdd8f1df777b1y ago

Not possible on Windows, where most Chrome users are on.

nine_k1y ago

Because long-inactive tabs should go to sleep.

If Chrome itself is not aggressive enough, try the "Auto Tab Discard" extension.

ksec1y ago

There is now a Chrome Option "Memory Saver" which dictate how aggressive it is to put Tab into Sleep.

Safari on the other hand doesn't even have Tab Sleep for whatever reason.

j / k navigate · click thread line to collapse

0 comments

lxgr1y ago

Safari definitely does use site isolation (if you check "Activity Monitor", you'll find Safari processes named after the sites they're displaying) in almost all cases.

danans1y ago

> Safari definitely does use site isolation (if you check "Activity Monitor", you'll find Safari processes named after the sites they're displaying) in almost all cases.

From the FAQ:

lxgr1y ago

Yes, in some special cases, which both embedded/opened and embedding/opening websites can avoid by setting the appropriate HTTP headers/HTML attributes.

1 more reply

zamalek1y ago

Right, in what sane world would the website determine operating system process semantics? What next, syscalls?

astrange1y ago

Have you noticed how often people complain Chrome uses too much memory?

lxgr1y ago

Process-per-site isolation doesn't necessarily have to use (much) more memory.

If you pre-initialize the renderer and JavaScript engine and then fork that pre-warmed instance for each site, every page of memory not written to remains shared in physical memory.

Properly accounting for that in task managers is hard, though; on many OSes, Chrome's memory usage looks much scarier than it is in reality.

astrange1y ago

You can't fork a GUI process on Apple OSes, most of the system can't handle it.

It'd also weaken any security protection based on randomness (eg ASLR slide, pointer encryption keys).

1 more reply

bdd8f1df777b1y ago

Not possible on Windows, where most Chrome users are on.

nine_k1y ago

Because long-inactive tabs should go to sleep.

If Chrome itself is not aggressive enough, try the "Auto Tab Discard" extension.

ksec1y ago

There is now a Chrome Option "Memory Saver" which dictate how aggressive it is to put Tab into Sleep.

Safari on the other hand doesn't even have Tab Sleep for whatever reason.

j / k navigate · click thread line to collapse