Deferred process swapping for HTTP redirects with Enhanced Security
127f09e
Enhanced Security (ES) runs navigation targets considered potentially dangerous (e.g. plain HTTP responses) in a more isolated WebContent process. Process swaps are coordinated across three processes: UIProcess (policy), NetworkProcess (the HTTP load), and WebContent (rendering). Previously the ES swap decision was made before the request was issued; this commit moves it to response time.
Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp
+void NetworkConnectionToWebProcess::adoptNetworkResourceLoader(
+ WebCore::ResourceLoaderIdentifier resourceLoadIdentifier,
+ Ref<NetworkResourceLoader>&& loader)
+{
+ m_networkResourceLoaders.add(resourceLoadIdentifier, WTF::move(loader));
+}
For the common HTTP→HTTPS redirect case the page stays in the original process throughout. For actual HTTP responses, the NetworkProcess parks the in-flight NetworkResourceLoader, the UIProcess spins up a new ES process, and the loader is re-attached via adoptNetworkResourceLoader to resume mid-lifecycle without re-issuing the request to the server — architecturally analogous to how COOP triggers browsing-context-group switches.
Significance
The deferred-swap mechanism introduces a loader re-attachment protocol where the NetworkResourceLoader crosses process connection boundaries mid-lifecycle — a meaningful new IPC attack surface at the process-isolation boundary.
Audit directions
Aaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaa a Aaaaaa Aaaaaa Aaaa a Aaa Aaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aa Aaa Aaaaaaaaaa Aaaaaaa Aaaaaa Aa Aaaaaa Aaaa Aa Aaa Aaa Aaaaaaaaa Aaaaaaa Aaaaaaaa Aaaaaa Aaaaaaa Aaa Aaaaaa Aaaaaaaa Aa Aaaaaaa a Aaaaa Aaaaaa Aaaaa Aaa Aaaaaaaa Aaaaaaaaaa Aaa Aaaa Aaaaaaaa Aaa Aaaaaaaaaa Aaaaaaa Aaaaaaaa Aaa Aaaaaaaa Aaa Aaaaaa Aaaaaa Aaaa Aa Aaaaaa Aaaaaaaaaaa Aa Aaa Aaa Aaaaaaaaaaa Aaa Aaaaaaaaaa Aa Aaaa Aaaaaa Aaaaa Aa Aaaa Aa a Aaaaa Aaa Aaaaa Aaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aa a Aaaaaaaaaaa Aaaaaaaa Aaaaa Aaaaa Aa Aaaaa Aaa Aaaaa Aaaaaaaaaa Aaaaaaa Aaaaaaaaaaaaaa Aaaaaa Aa Aaa Aaa Aaaaaaa Aaaaaa Aaaa Aaa Aa Aaaaa Aaa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aa a Aaa Aa Aaaaaaaaaaaaaaaaaaaaaa Aaaaaaaa Aaaaaaa Aaaa Aaaaaaaaaaa Aaa Aa Aaaaaaaaaa Aaa Aaaaaaaaaa Aaaaaaaa Aaaaa Aaaa Aaaaaaaaa Aaaaaaa a Aaaaaaaaa a a Aaa Aaaaaaa
🔒The loader re-attachment protocol introduces lifetime and identifier-collision edge cases across process boundaries worth close examination.
Subscribe to read more