Hacker News new | ask | show | jobs
by briansmith 5888 days ago
IE8 does sometimes put multiple tabs in one process, but not all tabs are in the same process. I think Microsoft should move to one-process-per-tab too; if Chrome can do it without any negative performance impact (AFAICT), so should IE. But, I'm not sure the rest of what Chrome does would be useful in IE. Microsoft wants to keep the security enforcement in the operating system so that all native applications can benefit from it. Google is happy to have lots of security enforcement in Chrome itself because it doesn't really care about the security of anything other than Chrome, and it cares about platforms that don't have the security features that Windows has.

In particular, one thing that's strange about NaCL is that plugin processes have stronger security than Chrome itself (unless Chrome is being built with the same or similar NaCL toolchain). In Microsoft's design, plugins are protected equally with the IE tab processes themselves, which seems very sensible to me, considering all the untrusted content that the browser itself has to interpret.

I would still like to know, theoretically, what Chrome's design stops that cannot be stopped using IE8's design, modified to have one tab per process.
1 comments
skuzins 5888 days ago
IE8 does sometimes put multiple tabs in one process, but not all tabs are in the same process. I think Microsoft should move to one-process-per-tab too;

The problem is that all these processes run in the same sandbox (at the integrity level "Low"), so they are not protected from each other.

But, I'm not sure the rest of what Chrome does would be useful in IE

Again, like IE, Chrome itself uses OS mechanisms for the sandboxing.

In particular, one thing that's strange about NaCL is that plugin processes have stronger security than Chrome itself

This differentiation seems reasonable because Chrome itself is considered trusted code, whereas these plugins aren't.

I would still like to know, theoretically, what Chrome's design stops that cannot be stopped using IE8's design, modified to have one tab per process.

Since IE has one sandbox for all processes, one compromised tab could affect other tabs. Not so in Chrome. If IE switched to one process per tab and one sandbox per process, things would be more similar, but NACL in a Chrome sandbox would still be more secure than ActiveX in an IE sandbox because of NACL's additional layer of security. A NACL plugin would need to exploit weaknesses in both NACL and the Chrome sandbox in order to do any damage.

link