← All issues

Deferred process swapping for HTTP redirects with Enhanced Security

127f09e

Enhanced Security (ES) runs navigation targets considered potentially dangerous (e.g. plain HTTP responses) in a more isolated WebContent process. Process swaps are coordinated across three processes: UIProcess (policy), NetworkProcess (the HTTP load), and WebContent (rendering). Previously the ES swap decision was made before the request was issued; this commit moves it to response time.

Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp

+void NetworkConnectionToWebProcess::adoptNetworkResourceLoader(
+ WebCore::ResourceLoaderIdentifier resourceLoadIdentifier,
+ Ref<NetworkResourceLoader>&& loader)
+{
+ m_networkResourceLoaders.add(resourceLoadIdentifier, WTF::move(loader));
+}

For the common HTTP→HTTPS redirect case the page stays in the original process throughout. For actual HTTP responses, the NetworkProcess parks the in-flight NetworkResourceLoader, the UIProcess spins up a new ES process, and the loader is re-attached via adoptNetworkResourceLoader to resume mid-lifecycle without re-issuing the request to the server — architecturally analogous to how COOP triggers browsing-context-group switches.

The deferred-swap mechanism introduces a loader re-attachment protocol where the NetworkResourceLoader crosses process connection boundaries mid-lifecycle — a meaningful new IPC attack surface at the process-isolation boundary.

🔒

The loader re-attachment protocol introduces lifetime and identifier-collision edge cases across process boundaries worth close examination.

Subscribe to read more