Mozilla Announces Project Fission, a Project To Add True Multi-Process Support To Firefox

An anonymous reader quotes a report from ZDNet: After a year of secret preparations, Mozilla has publicly announced plans today to implement a "site isolation" feature, which works by splitting Firefox code in isolated OS processes, on a per-domain (site) basis. The concept behind this feature isn't new, as it's already present in Chrome, since May 2018. Currently, Firefox comes with one process for the browser's user interface, and a few (two to ten) processes for the Firefox code that renders the websites. With Project Fission (as this was named), Firefox split processes will change, and a separate one will be created for each website a user is accessing. This separation will be so fine-grained that just like in Chrome, if there's an iframe on the page, that iframe will receive its own process as well, helping protect users from threat actors that hide malicious code inside iframes (HTML elements that load other websites inside the current website). This is the same approach Chrome has taken with its "Site Isolation."

Chrome memory usage

Firefox: Hold my beer.

Re: Chrome memory usage

Gay baths and terrorist teenagers aside, is there anything nicer than someone who keeps rubbing that knot out of your back way longer than any normal person would spend the time? It is certainly better than someone who slaps you on the back and just makes it worse

Even more copying

In other words, more like Chrome which means even more CPU and memory usage for little gain.

If people think they're not going to go down the same road and eventually gimp extensions as well, then they're naive.

Re: Even more copying

They already gimped extensions.

Re:Even more copying

[arglebargle_xiv]

The concept behind this feature isn't new, as it's already present in Chrome

I think this should actually be the generic template for any news about Chromefox:

Mozilla announces plant to add $X to Firefox. The concept behind this feature isn't new, as it's already present in Chrome.

for any given value of X.

Re: Even more copying

Chrome's plan is to change an API that will essentially kill ad-blockers, and Firefox will probably follow suit.

Fission?

That implies a lot of CSS violations.. it's kind of the opposite idea to absorb and isolate. Project Boron.

I'm starting to hare firefox

[AndyKron]

Yippy. Another fucking update

Re:I'm starting to hare firefox

Wait until Intel puts it on-die as part of their new IME. "The fastest most hyperthreaded browser-on-a-chip is now always on even when your machine is off! Swear to god, it's a feature! Sure someone asked for it!"

Re:I'm starting to hare firefox

With that attitude you won't make it as a cyber man in this cyber world of ours.

Re:I'm starting to hare firefox

people who don't take updates are the antivaxxers of the internet

Re:I'm starting to hare firefox

So are people who use Windows.

Re: I'm starting to hare firefox

So are Nazis! Oh wait, it looks like just throwing out things we hate in conversation does not always work.

Re:I'm starting to hare firefox

[thegarbz]

Yeah damn that completely voluntary update process that I could disable at any time. Damn it to hell!

Re:I'm starting to hare firefox

Office and Windows updates are not voluntary, and people are having trouble when Office decides to update unexpectedly and locks users out of Office apps. Here's one example: https://answers.microsoft.com/... . This will get even worse in the future.

Re:I'm starting to hare firefox

Yeah, see, this discussion is actually about a web browser called Mozilla Firefox. Nothing to do with Microsoft Office, or Windows particularly. If you scroll up to the top of this page, you can get up to speed on the discussion and then even participate!

chrome

Turning more and more into Chrome. One day it will be what Chrome is today.

Help Me Understand?

I don't understand why processes are being used to provide security. Can someone explain it in more detail? If there aren't any bugs in the code, then it shouldn't matter where anything is running because it won't be able to do anything it's not supposed to do. If there are bugs in the code, why wouldn't they be able to exploit them to communicate with the other processes and cause just as many issues? I would think spending time implementing a simpler thread pool with everything being task based would be a more secure design. The threading model would be less complex (so in theory less bugs and any bugs are easier to find) and easier/faster to implement so they'd be more time left over to find and fix other bugs. Furthermore, a thread pool would be far more scale-able and resource efficient.

Re:Help Me Understand?

[AHuxley]

Each malware filled web page and tab gets it own part of the CPU and memory to stay in.
Faster too and the OS can still keep up in the background as it has its own part of the CPU.
Everyone gets a part of the CPU.

Re:Help Me Understand?

[Shikaku]

Except it's already a feature in Chrome(ium) since version 67, and you can read how it works here: http://www.chromium.org/Home/c...

This takes up a bit more RAM however, because each process has its own heap and executable thread for each tab or domain if you enable it by domains only (disabled by default).

This looks to be almost the same thing except just by domains instead.

Re:Help Me Understand?

[Immerman]

> If there aren't any bugs in the code,
Ha! Good one!

> If there are bugs in the code, why wouldn't they be able to exploit them to communicate with the other processes and cause just as many issues?
You might be able to, but you might not - it depends entirely on the nature of the bugs.

Basically security programming amounts to putting multiple layers of armor around something, knowing full well that none of the layers are perfect. However, each layer makes it more difficult (read: expensive) to get to the chewy center, at least early on before the vulnerabilities are well known.

And when someone inevitably does find a way through, and the developers learn of it? Then that "one" vulnerability is actually a list of the vulnerabilities that were exploited in each layer or armor - fix any one of those holes and you're safe again, at least until they find a new way through that layer of armor. Fix most or all of them, and you send them back to the drawing board.

Re:Help Me Understand?

[Tailhook]

I don't understand why processes are being used to provide security.

Processes leverage MMU hardware to achieve memory isolation such that each process has a private address space that can't be violated by another process without either compromising the OS or overcoming the MMU (rowhammer/spectre/etc.) You will now argue that the processes in a multi-process browser already communicate, pretending that this communication is unfettered by any limits. It is not. The browser designers control this communication with the intention of defending against compromised processes by dropping unnecessary privileges and minimizing the IPC attack surface.

why wouldn't they be able to exploit them to communicate with the other processes and cause just as many issues?

Because the OS and the MMU are specifically designed to prevent unprivileged processes from communicating with other processes. You will now argue that OS's aren't perfect and chips have flaws and so such designs are pointless. You will do this despite the fact that your proposal relies on hypothetical bug free systems as well, as we see here:

If there aren't any bugs in the code...

You're free to fantasize about bug-free systems, but the purveyors of real software must contend with bugs. Bugs in extensions, third party dependencies, compilers and their runtimes, drivers and every other conceivable thing. Any exploited flaw delivers the entire address space of your thread pooled browser and everything it's doing with no further effort. Process isolation at least offers an impediment to further comprise beyond the exploited process.

Google was right to design Chrome as they have, and Mozilla has been remiss in taking this long to copy it.

Re:Help Me Understand?

[rtb61]

I don't know, I struggle to believe that, hell Mozilla are incapable of shifting the tab bar back below the address bar where it belongs, so fancy stuff, I am not so sure about that any more.

Re:Help Me Understand?

[Kjella]

You're free to fantasize about bug-free systems, but the purveyors of real software must contend with bugs. Bugs in extensions, third party dependencies, compilers and their runtimes, drivers and every other conceivable thing. Any exploited flaw delivers the entire address space of your thread pooled browser and everything it's doing with no further effort. Process isolation at least offers an impediment to further comprise beyond the exploited process.

And even if it's not malicious/exploitable, it'll crash everything. That was my main annoyance, if you got one misbehaving tab in Chrome you can sort by CPU/memory use, find and kill it if it doesn't die on its own. In Firefox it was the "what tab is killing it now" guessing game.

Re:Help Me Understand?

Also, people are still stuck in the Win 9x mentality of more processes = bad. Processes are cheap these days. They're literally complaining that their task manager list is slightly longer to scroll, but Windows now even knows how to combine them under a dropdown arrow.

Re:Help Me Understand?

Can you blame them, though? A Windows Surface running Windows 10 uses up about 85% of its available system resources RIGHT OUT OF THE BOX. This happened on a Linus Tech Tips video, I wish I could remember what the video was about so I could look it up and link it here. His reaction was hilarious: "What the hell, Microsoft?! You MADE this thing!"

So yeah, for most people still in Microsoft land who aren't running a beefy custom built desktop with shitloads of RAM, more processes is definitely bad, even today.

If you don't have a Surface, see if any are being demoed at a computer store. Pull up the task manager and see for yourself if you don't believe me. If the store has the task manager blocked by group policy, act interested in the device and ask for a store technician to unlock it so you can "see if it's right for you".

Great, now pledge to keep Manifest V2 for uBlock

...and we'll have some real choice for privacy after Google/Chromium's latest dick move to nerf all adblockers other than AdBlock Plus, the one they have bought a huge interest in so they can control it.

Heard of Rust?

[tepples]

What you suggest is in fact being done. Servo is the project to rewrite Firefox's engine in Rust, a modern language focusing on provable thread safety through abstractions with zero runtime cost. Quantum is the project to replace parts of Firefox's engine written in C++ with the parts of Servo that are completed.

Re: Heard of Rust?

You mean you expect people to do their research and know what they're talking about before commenting? What a crazy concept!

Re:Heard of Rust?

Programming languages are tools and not a goal. A better browser will be a better browser by being a better browser, not because it's programmed in Rust.

If past experience tells us anything.. The pitfalls of re-writing a complex piece of software are always worse than any theoretical benefit from a new language.

One process per window or tab.

That should be it.

This will do nothing to properly isolate inter-site scripting attacks, it will increase memory footprint (less if you are on linux and have ksm(kernel samepage merging) running and the threads flagged as ksm compatible.), increase attack surface, and further complicate the already messy debugging firefox requires.

If we were to go back and fork from FF-ESR 38, 45, or 52, implement this process isolation on a per-window or per-tab basis, and have plugins tied to per-window or per-tab sessions, the security, speed, and usability would be the same or greater than this half baked idea, while also reducing the debugging complexity and the overhead of this plan. Just because Scroogle does things one way doesn't mean we all need to get fucked by them even when we're using a competitors product (And despite Mozilla's collusion and no doubt kickbacks for all these Chrome-like changes, they ARE still competition.)

Re:One process per window or tab.

You're so right, [random Internet user with a strong opinion]. Clearly you know better than everyone actually making browsers just how things should work, and clearly they're just doing what they do for completely inane reasons. Please share more of your obviously correct wisdom, and not only because it's popular among other [random Internet users with strong opinions].

Re:One process per window or tab.

[roca]

Mozilla didn't see site isolation as a high priority until Spectre happened. Unfortunately it is now obvious that given a high-resolution timer, JS can probably read the contents of almost everything in the address space of the process it belongs to using side channels. That means site isolation has to be a priority.

As a temporary fix various timing channels have had their precision reduced, but that's only a partial workaround at best. Also Mozilla wants to enable parallelism primitives for Javascript that can be (mis)used to gather high-precision timing data.

Fine-grained multiprocess has some downsides but Mozilla can't afford to lag behind in security and privacy.

Re:One process per window or tab.

How about the timers precision degrades the more often you use it. Calling getNanoTime() or whatever thousands of times per second? Make it very quickly degrade to getMilliTime() * 1000000;

Re:One process per window or tab.

Found the guy who has never developed a web app!

Your idea is bad, and you should feel bad.

Re:One process per window or tab.

[iive]

I think that they did exactly that, lowered the precision of the timers.

However if you have threads, you can make your own high precision timer by running a loop in a single thread while doing the side channel in another.

Re:One process per window or tab.

How can you read memory you shouldn't be able to using a high-resolution timer?

Re:Typical C(++) coders.

[AHuxley]

Time for an Ada browser on an Ada OS.

Local Render Server?

[0100010001010011]

How long until we have some HTML5/CSS/JS hardware accelerated chip to do the actual rendering and just pass the display information to a 'thin client'?

At some point it's going to be faster to x11 forwarding/VNC to a bigger machine somewhere else to handle the latest JS framework.

Re:Local Render Server?

[Waccoon]

I think you just suggested that we either switch to multi-core CPUs (welcome to 2010), or we switch to cloud rendering (over my dead body).

Re:Local Render Server?

[lister+king+of+smeg]

How long until we have some HTML5/CSS/JS hardware accelerated chip to do the actual rendering and just pass the display information to a 'thin client'?

At some point it's going to be faster to x11 forwarding/VNC to a bigger machine somewhere else to handle the latest JS framework.

I think it was either oprea mini or opera mobile actually did this to run a their browser at reasonable speeds on early feature phones it would render the web pages on their servers and send the output compressed to the phone were it would decompress it and show the rendering.

Re:Local Render Server?

I know it's not what you propose, but check out the webrender in Nightly. Since those AI algorithms get the acceleration even in the general purpose cores soon, maybe something to accelerate dynamic languages like JS would be in order to save the mobile power budgets and to put those extra available transistors at work.

Re:Local Render Server?

[afidel]

Well, Windows is nearly there, they actually allow you to run the browser engine in a VM if you have Enterprise and configure it to do so. Unfortunately with the recent announcement that they are moving the rendering engine from EdgeHTML to Chromium for Edge I'm not sure if the feature will be supported going forward. I hope they do as it's one of the better end user security features now that Outlook isn't such a steaming pile.

Re:Local Render Server?

I don't think he suggested either of those things. What on Earth are you talking about?

Secret prep != OSS?

[xxxJonBoyxxx]

>> After a year of secret preparations,

Can someone help me square the "open" part of OSS with "a year of secret preparations" please?

Re:Secret prep != OSS?

It's not a secret, that's just a shitty summary. Anyone who follows (and cares) about this stuff will know about it already, as Mozilla has publicly-visible bugs in their tracker about Project Fission for a while now, and aren't shy about the details in those bugs.

Re:Secret prep != OSS?

[roca]

Translation: "After a year of open discussion we didn't notice until now,"

Here for example is an overview of memory usage reductions related to Fission, from July 2018: https://mail.mozilla.org/piper...

Re:Secret prep != OSS?

we prepared this in 2014 already. we had to move stuff around until we could actually multi process at all. and sandbox. and move things around more.
firefoxos helped a lot making this happen because the mozilla management didnt care one bit, but it was required for firefox os to work well enough (its not kaios, 3rd worldwide mobile os). chrome was already ahead of course at the time and they were already dealing with this as well. for them, maybe it was secret, but their employee live next floor and keep talking everything anyway.

it took a lot more pushes, and eventually over the past years some of management approved that we should finish this up...

i worked on this directly, as paid staff. its not secret at all.
and while its a bit scary and uses more ram its definitely a big gain for security

I love Firefox but...

I have to turn the multi-process thing to "one content thread" for best performance. More processes doesn't help, especially on really old machines with single-core CPUs. I want the Firefox devs to dogfood on a fucking VIA C7.

Re:I love Firefox but...

There was a study not long ago that showed that roughly 80% of computers used today are dual-core and with 4 GB of RAM or less. That's horribly inadequate nowadays even for web-browsing, let alone also trying to run Windows 10 on.

Quad-core and 8 GB of RAM seems to be the new minimum for a decent experience and I only expect that to keep rising over time.

Re:I love Firefox but...

My old Intel Atom based EeePC is going to hate this, too. That being said, I still welcome this change. Security is more important than anything. If I have to finally buy a new laptop for web usage, I'll be glad to have the fire under my ass. This fucker only has 1GB of RAM. I could expand it to 2GB, but what kind of practical difference would that really make these days?

I could still use it offline, maybe throw 32-bit Lakka on there and use it as a portable emulator machine. It's not going to the landfill any time soon.

Terrible news for tab hoarders (Like me)

So now I’m going to have like 500-600 additional processes running on my box every day. Hrm.

Re:Terrible news for tab hoarders (Like me)

So now Iâ(TM)m going to have like 500-600 additional processes running on my box every day. Hrm.

Yes, because tab hording on the order of 100+ tabs is not a typical or legitimate use case for a mainstream browser.

I'm sorry, but I'm happy that browser designers do not cater to that use case. Not because I want to cause you pain or inconvenience you, but because attempting to cater to that use case holds us all back from useful improvements. I'm sympathetic to people nailed by software updates breaking workflows, but there's a certain point where the answer is "yes, really, you are Doing It Wrong."

So yes, to you and everyone else inconvenienced by these potential changes: Please go use Pale Moon. Do it now, do it today, let this be the impetus. That way, you can gleefully post on Slashdot about how you are using Pale Moon on every single Slashdot article about Firefox. Bend Pale Moon to cater to your workflow, and leave Firefox the hell alone. You can benefit from herd immunity since no one will bother to exploit Pale Moon, all while the rest of us can enjoy a modern browser.

Let the rest of us live like it's about to be 2020, not 2005.

Re:Terrible news for tab hoarders (Like me)

No because you already use lazy loading, like any sane person with tens to hundreds of tabs do.

Quantum Fission?...

Is that a real thing?

Re:Typical C(++) coders.

I know you're just trolling for the lulz but Firefox already supports multi-processing through threading. They're moving to processes to sandbox things because a web browser's entire function is to run code from unknown/untrusted sources. But cool reference to the hip programming language bro. When you need something that actually works written by people who understand the requirements and the system it's running on I'll be over with the other graybeards. // and don't forget to bring us another shitty six pack when you do.

Can't hurt the best ad/threat/tracker blocker

See subject (doesn't run in a browser) & APK Hosts File Engine 2.0++ 64-bit for Linux/BSD h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r L i n u x . z i p

Yields more security/speed/reliability/anonymity vs. any 1 solution (99% of threats use hostnames vs. IP address most firewalls use) more efficiently/FASTER + NATIVELY 4 less!

Vs. "Bolt on 'MoAr' illogic-logic" slowing u hosts speed u up 2 ways: Adblocks + Hardcode fav. sites u spend most time @ vs. competition w/ security bugs (DNS/AntiVir) + overheads slowing u (messagepass 'souled-out' to advertisers easily detected & blocked addons + firewall filtering drivers) & their complexity leads to exploit!

* ONLY 1 of its kind in GUI 4 Linux (soon 4 MacOS)!

APK

P.S.=> Protects vs. scripts/trackers (kernelmode faster vs. usermode slower NoScript vs. 3rd party script)/ads/DNS request tracking + redirect poisoned or downed DNS/botnets/malware download/malcript/email malicious payload

Great... More of a hog?

[PhotoGuy]

So instead of taking 100% of my CPU, Firefox will be able to take 500% or 1000% of my CPU (100% for every tab I have opened and Firefox is spinning on for some reason.)

And so instead of nearly crashing my machine by hogging resources, it most certainly will.

Please, Firefox devs, get the CPU and memory leaks, javascript wedging, etc., under control before splitting things into more processes (which will just further hide such performance/memory leaks for now.)

At least one might (supposedly?) be able to kill off rogue/misbehaving pages on a per-process basis. But again, a properly functioning/secure/stable browser wouldn't have that need in the first place.

Sigh. 15% market share vs. Chrome's 60%, I fear for FF's future. It's my main browser, and the last viable hope for any privacy or security on the web (unless you wholehearted trust google.)

Firefox Quantum memory footprint

[kbahey]

Memory footprint is bad with Quantum. Never had my laptop swapping until I upgraded to Firefox Quantum.

However, there is a workaround:

Under Preferences -> Performance -> Content Process Limit, change it from 4 to 2 or 1.
The default is the number of cores in your CPU, and when I went from a 2 core laptop to a 4 core one, memory skyrocketed. Setting it back to 2 or 1 keeps it under control.

Also add the Auto Tab Discard Addon, and set it for 15 minutes.

Re:Great... More of a hog?

Ugh. I'm so tired of Firefox suddenly taking up 100% of my