Tab Isolation
Tab isolation has recently become a more popular topic. This post is a quick survey of what tab isolation is, how it works, and what it provides.
What is it?
Tab isolation is a way to improve a browser’s reliability by containing the impact of a crash. Depending on how it’s implemented, tab isolation can also help contain some security attacks. There are two different implementations available today, each with different benefits.
In a tabbed browser without isolation, a problem in one tab can crash the entire browser. For example, a crash in a webpage in Firefox 3.6 or IE7 will bring down the entire browser. While modern browsers have features to recover tabs after a crash, the point of isolation is to contain the problem and prevent the browser from stopping. You can see a demo of this here (starting around 13:25).
A Quick Historical Survey
On March 5, 2008, Microsoft released the first IE8 beta with Loosely-Coupled IE (or LCIE for short). This was the first mainstream implementation of tab isolation. On September 2, 2008, Google Chrome’s first beta released with “process isolation.” Mozilla Firefox has recently discussed an “Out of Process Plugins” (OOPP) or Electrolysis project aimed at isolating Firefox plug-ins, such as Flash, from the rest of the browser.
How do isolation approaches differ today in approach and benefits?
There are a lot of different subsystems in a browser to isolate from each other, and different ways to do it.
IE8 isolates the frame process (title bar, back button, address bar, etc.) from the tabs processes (that show web pages). If anything causes a site to crash (an extension like Flash, or the rendering or scripting engine, etc.), the frame and other tab processes will not crash. IE isolates the whole tab – all of its code, data, and extensions – to keep IE resilient to webpages with issues.
In addition to using multiple processes, IE8 on Windows 7 and Vista (and IE7 on Vista) sandboxes the tab processes in Protected Mode for security reasons. Specifically, tabs run without permissions to install software, modify settings, or change files of any user. Protected Mode provides defense in depth so that (in most cases) security vulnerabilities in the browser or an add-on (like Flash) cannot be exploited to harm the computer. Isolation makes this additional security possible. (Technically, there are several different types of isolation (process isolation, origin isolation, etc.), and of sandboxing (integrity levels, restricted subsets, DOM mirroring, etc.) as well.)
Chrome’s isolation is a bit different, factoring the different subsystems of that browser along different lines. From their documentation, they have separate processes for rendering, for the frame, and for add-ons (native plug-ins, not extensions). As with IE7, part of Chrome runs with lower privilege. Unlike IE (where page add-ons run in low), plugins in Chrome by default run with more privileges. As with any architectural difference, there are scenarios that are better in one architecture and worse in another. Theoretically, for example, a vulnerability in the Flash control running in Chrome does not have a defense in depth protection like Protected Mode to contain it.
Isolation is a super important part of modern browsers. It’s essential for delivering a more reliable browsing experience. It can also improve security. Depending on how it’s engineered, it can also have an impact on compatibility with sites and browser extensions.
Andy Zeigler
Program Manager
Comments
Anonymous
January 01, 2003
@Andy Zeigler [MSFT] findText in text range: IE6, IE7 and IE8 will crash http://www.gtalbot.org/BrowserBugsSection/MSIE8Bugs/crash-ie8-findtext-in-range.html There can not be a rational explanation as to why this crash bug will not be fixed for IE9. That particular bug had been publicly reported months ago, in broad daylight, months before IE8 was RTW. http://www.w3.org/Style/CSS/Test/CSS2.1/20100127/html4/universal-selector-005.htm Who exactly is saying that IE8 passes all testcases submitted to CSS 2.1 test suite? There can not be a rational explanation as to why such crash bug (reported fair and square: bug 427231) will not be fixed for IE9. Application hang, CPU maximized: bug 414807 ( https://connect.microsoft.com/IE/feedback/ViewFeedback.aspx?FeedbackID=414807 ) Reported before IE8 RTW with all the relevant steps, entirely reproducible. Application hang, CPU maximized: bug 366200 ( https://connect.microsoft.com/IE/feedback/ViewFeedback.aspx?FeedbackID=366200 ). Reported several months before IE8 RTW with all relevant steps, entirely reproducible. Page gets entirely blank: http://www.w3.org/Style/CSS/Test/CSS2.1/20100127/html4/max-height-106.htm There are other crash bugs and application hang (CPU maximized; caused by infinite reflow loop) bugs afflicting IE8, publicly reported with steps and/or testcases. Gérard TalbotAnonymous
March 04, 2010
Two notes here: first, the link for "process isolation" in Chrome links to a reference rather than to the appropriate section. Also, this reference is conveniently about LCIE ;) Second, you say Chrome has processes for "add-ons (native plug-ins, not extensions)". Maybe the specific part of the documentation you read is outdated, but Chrome extensions can also have their own processes — any extension that has state outside isolated tabs (i.e., anything more than Greasemonkey-like extensions) will have its own process.Anonymous
March 04, 2010
The comment has been removedAnonymous
March 04, 2010
@Don: It's not tab isolation, it's your addons. New tabs will open in less than 1/3 second without them. I have yet to find a plugin that has a problem with tab isolation, although poorly written Java applets will not be able to communicate from tab-to-tab. Given that IE8 has hundreds of millions of users, it's clear that there's no widespread problem with tab isolation. @Daniel: Yeah, binary extension processes are new to Chrome 4.0, but it makes no difference, the binary extension process runs at user-trust and thus exploit remains dire.Anonymous
March 04, 2010
The comment has been removedAnonymous
March 04, 2010
Matt, if tab isolation was slowing down plugins, it would still be at fault. However, this is not the case for me. It also performs miserably with SpyBot-generated restricted site lists. A big addon that does not work with tab isolation is IE7Pro.Anonymous
March 04, 2010
The comment has been removedAnonymous
March 04, 2010
Gerard, it's obvious that you're not the developer of large software systems. It's also obvious that you've somehow missed the message that the majority of browser crashes are caused by browser plugins, which the IE team isn't in a position to fix on Adobe's/Sun/Real/Apple's behalf. Stick to complaining about web standards.Anonymous
March 04, 2010
The comment has been removedAnonymous
March 04, 2010
Matt, the choices between tab isolation and SpyBot and between tab isolation and IE7Pro are actually very easy. The day I am not able to use an effective ad block with IE will be the day I switch to another browser.Anonymous
March 04, 2010
Google Chrome crashes on me a lot, using v5 dev of course. ;) Sadly the browser has to be recovered not just the tab that crashed. IE 8 is way better at this in my experience.Anonymous
March 04, 2010
http://www.cnn.com/2010/TECH/03/04/ie6.funeral/index.html funerial for ie6Anonymous
March 04, 2010
@Matt: I seriously doubt the problem with IE's tab creation time is related to add-ons. On a clean install of Windows 7, IE 8 is still slow starting a new tab. In fact, Other browsers (Firefox and Chrome) are faster at creating new windows than IE is at creating a new tab. And I have 15 extensions installed on Firefox. IE's empty tab creation has always been slow to me, since the IE7 days. I don't recall ever seeing it perform anywhere as close to other browsers on any computer I've ever seen it run, no matter its hardware specs.Anonymous
March 04, 2010
@Daniel: My experience is exactly the opposite. IE8 tabs open up blindingly fast after a clean install - unfortunately I have to enable the Java plugin for some websites which makes IE awfully slow :(Anonymous
March 04, 2010
How could we have the same behavior for the WebCtrl. A lot of custom applications are using the IE WebCtrl embedded in their code. It will be very useful to have the isolation for improving security and reliabilityAnonymous
March 04, 2010
@Don, well I just opened a new tab in IE8 and it opened before I got chance to count to 1. I think it's a problem with your setup.Anonymous
March 04, 2010
The comment has been removedAnonymous
March 04, 2010
I have seen FF tab speed below IE yet no extensions. Anyway not only extensions matter,but what programms are installed. If you have Spybot,Tortoise SVN,GIT,Hg and Bazaar and one AV then speed will be far below average... What I measrued I had new tab around 101ms when on blank page and 300-400 ms when regular webpage. As far as I can say those who complain about slow tabs(any tabbed browser) need to examing details of system and go far below surface. There are too many ways how to shoot performance and many are outside of browser-creator's control. And AFAIK every tab has its own instance of extensions,that's why number and quality of extensions matter.Anonymous
March 04, 2010
The Mozilla guys had the idea of plugin process isolation quite some time now, even before Google Chrome became public. The Chrome guys stated that there were forced to run plugin processes with higher privileges because of compatibility problems. Extensions in Chrome (in JavaScript) also have their own process.Anonymous
March 04, 2010
> If you have Spybot,Tortoise SVN,GIT,Hg and Bazaar and one AV then speed will be far below average... I have 5/7. Chrome opens new tabs instantly.Anonymous
March 04, 2010
I have 5/7. Chrome opens new tabs instantly. Does it create new process for new tab?(Forgot) AFAIK: New threads are not affected,but when new process is created it causes heavy activity - like by Teatimer ; even disk activity - Tortoise (fitting) === I forgot a reason: "Spamming" of restricted zone by Spybot. ==== I should run Process monitor again to see activity as current Win7 has slow tab creation while main computer (XP) is fast.Anonymous
March 04, 2010
"If IE can't load blank tabs in 1/4 second or less (REGARDLESS HOW MANY ADDONS ARE INSTALLED) then IE FAILED. YES IE FAILED." so if I create a plugin that deliberately has a 10-second pause while loading, and it takes 10 seconds for the plugin to load, that's IE's fault?Anonymous
March 04, 2010
I had about 15 tabs open in an xp system with 512 mb memory(so naturally memory is very tight ). I closed all tabs except 1 ,but IE still had about 4 iexplore processes running in the background.WHY DOESN'T IE8 release resources immediately when not needed?Anonymous
March 04, 2010
The comment has been removedAnonymous
March 05, 2010
@Daniel: What AV program do you use? Some hook deeply into IE while doing nothing in other browsers. Unfortunately, that can hurt performance. As for the question of videos... last time this conversation came up (early last year) I took a quick capture of one of my computers which has a few well-written addons enabled (e.g. Ralph Hare's Mouse Gestures and a few I wrote); I posted the low-quality video here: http://www.enhanceie.com/ie/newtab.wmvAnonymous
March 05, 2010
@frymaster - if an IE plugin takes 10 seconds to initialize the plugin is garbage. So there is actually 2 problems with IE addons right now. 1.) They are loaded automatically for every new tab regardless if they are needed or not (IE design bug) 2.) Addon developers are not being smart with their code to first check the page url before loading/doing any initialization. e.g. when IE opens a new tab "about:blank" or "about:tabs" all addons should (a) Not be initialized (IE bug) and (b) if they are (e.g. MSFT doesn't fix their design) then the addons should check the URL first... if not a "real" url (e.g. not "about:blank" or "about:tabs" etc.) then it should immediately abort initialization and return. However the most important item is (c). ======================================= ======================================= (c) Before IE loads ANY addon code whatsoever, it should fully load the new tab, focus the address bar and THEN AND ONLY THEN, initialize addons in a separate thread (e.g. do not lock up the browser and stop me from typing a new url etc.)Anonymous
March 05, 2010
Here is an interesting article... oddly enough, from the same blog. http://blogs.msdn.com/ie/archive/2009/07/18/how-to-make-ie-open-new-tabs-faster.aspx Posted a while back, but maybe helpful for further testing on your slowness issues. My tabs ordinarily open up immediately in both IE7 and IE8. Although I do run across a lot of websites that are just horribly coded.Anonymous
March 05, 2010
@Daniel (Funny,my first name as well..) Interesting about 64b XP. Was that 32 or 64 version of IE? What could be otherwise difference since I have XP 32 - fast tabs and until recently Win7 32 fast as well. Maybe analysis of Process Monitor log would be able to show resource hog or larger operations on registry and/or network.(i take it there is not much HDD activity) ==== Issue seems to be somewhat strange as similar complement of programms yelds different results. As for YT videos,why to bother making video about normal operation? But one should be wary if video capture wasn't slowing PC too much.Anonymous
March 05, 2010
@Klimax - I use Tortoise SVN but had no idea it makes IE8's tabs slow! Can you clarify why it makes it slow or provide a link to more details. thanks.Anonymous
March 05, 2010
@Matt - I've done several clean installs of Windows (XP, Fista and Win 7) with IE 7 and IE 8, no plugins, and had tabs take 2 seconds to open. I don't know why some people have the issue and others not, but just telling people "it's your setup with your plugins" isn't always the case.Anonymous
March 05, 2010
The comment has been removedAnonymous
March 05, 2010
Aryeh brings a good point, since most windows users are still running XP, then most user are worse off security wise running IE8 than running Chrome. Andy Zeigler, do you agree?Anonymous
March 05, 2010
The comment has been removedAnonymous
March 05, 2010
@alienRancher: Chrome is a good browser, although their protection against phishing and download of malware is weak. So, most users are probably more secure from the most common attacks with IE8. While it's true that Chrome does what it can to protect users on XP, the truth is that the mechanisms they're using all have holes in them. Why? Because XP doesn't have kernel-enforcement of the features they're using as a security mechanism. That's why Microsoft didn't try to port protected mode to XP-- they needed the security provided by new work done in the kernel.Anonymous
March 05, 2010
The comment has been removedAnonymous
March 05, 2010
Tortoise: Looks like it was only coincidental. But good excludes/includes can improve performance as cache process won't generate that much activity and RAM usage while going through directories woll see reduced delays as Tortoise won't check those under excludes. Ok.Sorry,looks like I was mistaken... (Only few ms more or less)Anonymous
March 05, 2010
The comment has been removedAnonymous
March 06, 2010
Rather than blame rouge addons for poor IE performance (which is getting real tired!) try helping out the end users with some actual stats for start times for various common addons (say the top 40) That way end users can make an informed decision as to which addons are slow and if they really need them. e.g. if the Bing toolbar is causing IE to be really slow then we can uninstall it (or poke MSFT for a patch) if the IE dev tools are slowing it down we can uninstall them. ultimately we all want a fast browser - hence the mass exodus to Firefox, Chrome and Opera over the past 3-4 years. if IE continues to have performance issues there are only 2 outcomes. 1.) the cause is fixed or worked around or 2.) users switch to a better browser. I don't have any video tools on my PC to record the new tab speed but I assure you it is slower than any tab based browser i've ever used.Anonymous
March 08, 2010
The comment has been removedAnonymous
March 12, 2010
The comment has been removed