[tbb-dev] An Electrolysis-based approach for URL-bar domain isolation?

Sun Jan 3 00:01:12 UTC 2016

Hi, everyone -- Happy New Year!

I've been thinking about our work on first-party isolation in Tor
Browser and I am wondering if Mozilla's Electrolysis project presents
a new opportunity.

Currently, we are using a number of isolation patches in Tor Browser:
each patch prevents some browser feature (such the HTTP cache or DOM
storage) from leaking information between URL bar domains. We're
hoping that Mozilla will uplift these patches to mainline Firefox, but
it's a very big task [1].

We have also disabled certain stateful features, including SSL Session
IDs and TLS session tickets, SPDY, auto form-fill, third-party cookies
and third-party HTTP authentication tokens. Disabling these features
is straightforward, but somewhat degrades the browsing experience.

Meanwhile, Mozilla has been pursuing the Electrolysis (e10s) project,
aka Multiprocess Firefox [2]. The first iteration (already implemented
and deployed in Aurora) separates the browser into two processes: one
process for chrome and one process for all content. The content
process is launched by the chrome process; they are both instances of
the `firefox` executable. Mozilla says "In future iterations, we
expect to have more than one content process."

So, I'm thinking: could we use the Electrolysis mechanism to use a
separate content process for each URL bar domain? In that case, any
information in a given content process not explicitly shared with
other processes or written to disk would be automatically isolated to
the URL bar domain [3]. For example, there could be a separate
in-memory cache in each content process.

This approach might have several benefits. It might (a) let us drop
most or all of our existing isolation patches (b) permit us to
re-enable a number of stateful features, (c) protect against
cross-origin tracking attacks we haven't discovered, and (d) allow us
to easily implement a "New Identity for this Domain" menu item [4]. I
also think Mozilla might find our privacy model easier to adopt if it
were implemented this way.

Any thoughts on this idea?

Thanks,
Arthur

[1] Things for which we have already written patches for first-party
isolation include the HTTP cache, the image cache, blob and media
resource URLs, DOM storage, SharedWorkers, OCSP, favicons, and
broadcast channels. We may also write further isolation patches for
cookies, ServiceWorkers, and HSTS/HPKP, and likely other things. Dave
Huseby at Mozilla is currently preparing the ground for attempting to
uplift our patches.

[2] https://developer.mozilla.org/en-US/Firefox/Multiprocess_Firefox

[3] Tor Browser already uses Private Browsing Mode and includes some
additional settings and patches to try to prevent anything private
from being written to disk.

[4] "New Identify for this Domain", the content process would be shut
down and re-started, with a new Tor circuit.