Tab isolation has recently become a more popular topic. This post is a quick survey of what tab isolation is, how it works, and what it provides.
What is it?
Tab isolation is a way to improve a browser’s reliability by containing the impact of a crash. Depending on how it’s implemented, tab isolation can also help contain some security attacks. There are two different implementations available today, each with different benefits.
In a tabbed browser without isolation, a problem in one tab can crash the entire browser. For example, a crash in a webpage in Firefox 3.6 or IE7 will bring down the entire browser. While modern browsers have features to recover tabs after a crash, the point of isolation is to contain the problem and prevent the browser from stopping. You can see a demo of this here (starting around 13:25).
A Quick Historical Survey
On March 5, 2008, Microsoft released the first IE8 beta with Loosely-Coupled IE (or LCIE for short). This was the first mainstream implementation of tab isolation. On September 2, 2008, Google Chrome’s first beta released with “process isolation.” Mozilla Firefox has recently discussed an “Out of Process Plugins” (OOPP) or Electrolysis project aimed at isolating Firefox plug-ins, such as Flash, from the rest of the browser.
How do isolation approaches differ today in approach and benefits?
There are a lot of different subsystems in a browser to isolate from each other, and different ways to do it.
IE8 isolates the frame process (title bar, back button, address bar, etc.) from the tabs processes (that show web pages). If anything causes a site to crash (an extension like Flash, or the rendering or scripting engine, etc.), the frame and other tab processes will not crash. IE isolates the whole tab – all of its code, data, and extensions – to keep IE resilient to webpages with issues.
In addition to using multiple processes, IE8 on Windows 7 and Vista (and IE7 on Vista) sandboxes the tab processes in Protected Mode for security reasons. Specifically, tabs run without permissions to install software, modify settings, or change files of any user. Protected Mode provides defense in depth so that (in most cases) security vulnerabilities in the browser or an add-on (like Flash) cannot be exploited to harm the computer. Isolation makes this additional security possible. (Technically, there are several different types of isolation (process isolation, origin isolation, etc.), and of sandboxing (integrity levels, restricted subsets, DOM mirroring, etc.) as well.)
Chrome’s isolation is a bit different, factoring the different subsystems of that browser along different lines. From their documentation, they have separate processes for rendering, for the frame, and for add-ons (native plug-ins, not extensions). As with IE7, part of Chrome runs with lower privilege. Unlike IE (where page add-ons run in low), plugins in Chrome by default run with more privileges. As with any architectural difference, there are scenarios that are better in one architecture and worse in another. Theoretically, for example, a vulnerability in the Flash control running in Chrome does not have a defense in depth protection like Protected Mode to contain it.
Isolation is a super important part of modern browsers. It’s essential for delivering a more reliable browsing experience. It can also improve security. Depending on how it’s engineered, it can also have an impact on compatibility with sites and browser extensions.
Andy Zeigler Program Manager
Two notes here: first, the link for "process isolation" in Chrome links to a reference rather than to the appropriate section. Also, this reference is conveniently about LCIE ;)
Second, you say Chrome has processes for "add-ons (native plug-ins, not extensions)". Maybe the specific part of the documentation you read is outdated, but Chrome extensions can also have their own processes — any extension that has state outside isolated tabs (i.e., anything more than Greasemonkey-like extensions) will have its own process.
The cost of tab isolation in IE8 is too high. It takes seconds just to open a new empty tab. Also, it causes problems with plugins. Consequently, I keep tab isolation switched off.
@Don: It's not tab isolation, it's your addons. New tabs will open in less than 1/3 second without them.
I have yet to find a plugin that has a problem with tab isolation, although poorly written Java applets will not be able to communicate from tab-to-tab. Given that IE8 has hundreds of millions of users, it's clear that there's no widespread problem with tab isolation.
@Daniel: Yeah, binary extension processes are new to Chrome 4.0, but it makes no difference, the binary extension process runs at user-trust and thus exploit remains dire.
Off post topic question: any advance in passing ACID 3 tests? Please, keep us informed about your work in this area.
Thanks IE team!
Matt, if tab isolation was slowing down plugins, it would still be at fault. However, this is not the case for me. It also performs miserably with SpyBot-generated restricted site lists.
A big addon that does not work with tab isolation is IE7Pro.
"Tab isolation is a way to improve a browser’s reliability by containing the impact of a crash. (...)
Isolation is a super important part of modern browsers."
Why not, in the first place, fix known, filed, reported, documented, entirely reproducible, testcase-ed application crash bugs and hang bugs occuring in IE8?
Having an explosive air bag in case of car collision is a nice feature but fixing the breaking system or the gaz/acceleration pedal (electronically controlled) is going to be a lot more relevant, you see, for your customers and everyone involved and it should come first, should be top priority.
Gérard Talbot
Gerard, it's obvious that you're not the developer of large software systems. It's also obvious that you've somehow missed the message that the majority of browser crashes are caused by browser plugins, which the IE team isn't in a position to fix on Adobe's/Sun/Real/Apple's behalf.
Stick to complaining about web standards.
@Don: No, if you gunk up your browser with slow addons, that's either the fault of your addons, or you, for installing such things. Having the first tab be stupid slow and the next one be fast is hardly better than having them all be stupid slow.
SpyBot's zone-spamming is worse than useless and has no security value. You should turn it off.
I stopped using IE7Pro years ago... it's got some fun features, but they hack into undocumented things and are pretty crashy even on IE7.
Matt, the choices between tab isolation and SpyBot and between tab isolation and IE7Pro are actually very easy. The day I am not able to use an effective ad block with IE will be the day I switch to another browser.
Google Chrome crashes on me a lot, using v5 dev of course. ;)
Sadly the browser has to be recovered not just the tab that crashed.
IE 8 is way better at this in my experience.
http://www.cnn.com/2010/TECH/03/04/ie6.funeral/index.html
funerial for ie6
@Matt: I seriously doubt the problem with IE's tab creation time is related to add-ons. On a clean install of Windows 7, IE 8 is still slow starting a new tab. In fact, Other browsers (Firefox and Chrome) are faster at creating new windows than IE is at creating a new tab. And I have 15 extensions installed on Firefox.
IE's empty tab creation has always been slow to me, since the IE7 days. I don't recall ever seeing it perform anywhere as close to other browsers on any computer I've ever seen it run, no matter its hardware specs.
@Daniel: My experience is exactly the opposite. IE8 tabs open up blindingly fast after a clean install - unfortunately I have to enable the Java plugin for some websites which makes IE awfully slow :(
How could we have the same behavior for the WebCtrl.
A lot of custom applications are using the IE WebCtrl embedded in their code.
It will be very useful to have the isolation for improving security and reliability
@Don, well I just opened a new tab in IE8 and it opened before I got chance to count to 1. I think it's a problem with your setup.