Difference between revisions of "Project Fission"

From MozillaWiki
Jump to: navigation, search
m (Project planning: Remove obsolete dashboard link)
(fission is no longer a nightly experiment)
 
(32 intermediate revisions by 9 users not shown)
Line 1: Line 1:
=Project Fission=
+
Fission is Mozilla's implementation of ''Site Isolation'' in Firefox. Site Isolation is a security feature that offers additional protection in case of large classes of security bugs. Site Isolation safely sandboxes web pages and web frames, isolating them from each other, further strengthening Firefox security.
  
Project Fission is the project name for revamping and strengthening the architecture of Firefox browser.
+
= Why? =
  
==Project planning==
+
Web security is designed in such a way that websites or webframes cannot access each other's data inside the browser. However, bugs happen. The Firefox teams and the Mozilla security teams invest considerable effort in avoiding security bugs, or, if they exist, finding them out and fixing them before release. However, if a bug somehow slips past developers, analysis and tests, and a sufficiently cunning attacker manages to find the bug before it can be fixed, they can sometimes craft a page specifically designed to access data from other sites that the user is currently visiting or has recently visited.
  
Project Fission is a Cross Functional engineering effort across the Platform organization.
+
Firefox developers already employ a number of counter-measures to make such undetected bugs less likely to succeed, from programming in memory-safe languages to adopting defensive programming techniques. Site Isolation is a new counter-measure dedicated to this purpose. With Site Isolation, pages and frames are executed in processes dedicated to their origin.
  
[https://bugzilla.mozilla.org/show_bug.cgi?id=fission Primary Meta bug - Bug 1432593 - (meta) Project Fission]
+
= Example =
  
==M4 goals==
+
Consider a blog on https://example.com with a Facebook like button (frame from https://facebook.com) and a Twitter button (frame from https://twitter.com). Without Site Isolation, this entire page runs in a single process. If an undetected bug in Firefox somehow allows the main page of the blog to access data inside the frames despite the protections in place, the malicious owner of https://example.com (or someone who had already stolen the domain) may be able to take advantage of this bug to impersonate the Firefox user in the Facebook and Twitter frames, and possibly use this impersonation to send fake messages or read private messages.
{| class="wikitable"
 
|-
 
! Task !! Name
 
|-
 
| All Mochitests running and passing in central (unrelated to session history or other long-term ongoing projects) || Kris Maglione, Andrew McCreight, Kashav Madan
 
|-
 
| All non-fission tests passing in ‘ash’ || Peter Van Der Beken, Olli Pettay
 
|-
 
| All Reftests with fission passing on central || Jonathan Watt
 
|-
 
| WindowProxy transplanting || Andrew McCreight
 
|-
 
| DocumentChannel & Process switching || Matt Woodrow, Jean-Yves Avenard
 
|-
 
| Make history navigations asynchronous || Olli Pettay
 
|-
 
| Screenshot platform API || Matt Woodrow
 
|-
 
| The 'load' event should wait for OOP-iframes to load || Jonathan Watt
 
|-
 
| BrowsingContextGroup actors || Andreas Farre
 
|-
 
| Kickoff: Replace nsIDocShellTreeItem with BrowsingContext || Kannan Vijayan
 
|-
 
| Kickoff: Make session history IPC async || Olli Pettay, Anny Gakhokidze
 
|-
 
| Make it clear that methods which won't work past Fission are process-bound || Kannan Vijayan
 
|-
 
| Convert content-sessionStore to C++ || Alphan Chen
 
|-
 
| Convert SessionHistoryListener to C++ || Alphan Chen
 
|-
 
| Make the audio/video controls Fission-aware || Abdoulaye Oumar Ly
 
|-
 
| Make the fullscreen code Fission-aware || Abdoulaye Oumar Ly
 
|-
 
|  Make Plugin Click-to-Play Fission-aware || Gijs Kruitbosch
 
|-
 
|  Make 'Find in page' work in fission world || Neil Deakin
 
|-
 
|  Make Login Manager fission-compatible || Neil Deakin
 
|-
 
|  Make RemotePrompt Fission-compatible || Mike Conley
 
|-
 
| Make DateTimePicker Fission-aware || Abdoulaye Oumar Ly
 
|-
 
| Add browser tests for a11y tree and events on OOP iframes || James Teh
 
|}
 
  
==Team==
+
With Site Isolation, this blog now runs on three different processes, one for https://example.com, one for https://facebook.com and one for https://twitter.com. These processes are sandboxed which limits what each of the processes can do. Even if the malicious owner of https://example.com were to take advantage of an undetected Firefox bug and to take control of the process in charge of https://example.com, the processes in charge of https://facebook.com or https://twitter.com would reject any request from this compromised process. In other words, this hypothetical bug is not sufficient anymore to impersonate the Firefox user in the Facebook and Twitter frames.
{| class="wikitable"
 
|-
 
! Role !! Name
 
|-
 
| Engineering Project Manager || Ron Manning
 
|-
 
| Product Manager || Mike Conca
 
|-
 
| Project Tech Lead || Nika Layzell
 
|-
 
| Accessibility Lead || James Teh
 
|-
 
| DevTools Engineering || Alexandre Poirot
 
|-
 
| DevTools Engineering || Yulia Startsev
 
|-
 
| DOM Engineering Manager || Neha Kochar
 
|-
 
| DOM Engineering || Alphan Chen
 
|-
 
| DOM Engineering || Andreas Farre
 
|-
 
| DOM Engineering || Andrew McCreight
 
|-
 
| DOM Engineering || Anny Gakhokidze
 
|-
 
| DOM Engineering || John Dai
 
|-
 
| DOM Engineering || Kashav Madan
 
|-
 
| DOM Engineering || Kannan Vijayan
 
|-
 
| DOM Engineering || Kris Maglione
 
|-
 
| DOM Engineering || Peter Van Der Beken
 
|-
 
| DOM Engineering || Henri Sivonen
 
|-
 
| FrontEnd  Engineering || Mike Conley
 
|-
 
| FrontEnd  Engineering || Neil Deakin
 
|-
 
| Graphics Engineering || Matt Woodrow
 
|-
 
| Graphics Engineering || Jean-Yves Avenard
 
|-
 
| Memshrink Lead || Eric Rahm
 
|-
 
| Memshrink Engineering || Kris Maglione
 
|-
 
| Layout Engineering || Jonathan Watt
 
|-
 
| Media and WebRTC Lead || Nils Ohlmeier
 
|-
 
| Necko Engineering || Valentin Gosu
 
|-
 
| Necko Engineering || Dragana Damjanovic
 
|-
 
| Office-of-CTO Consultant || Boris Zbarsky
 
|-
 
| Security Lead || Tom Ritter
 
|-
 
| Standards Lead || Anne van Kesteren
 
|}
 
  
== Sub-pages ==
+
= Contact =
 +
 
 +
The Fission team is standing by, ready to answer your questions in the '''#fission:mozilla.org''' room on [https://chat.mozilla.org/#/room/#fission:mozilla.org Mozilla's Matrix server].
 +
 
 +
= Observing Fission =
 +
 
 +
In desktop Firefox, you may open '''about:processes''' to see the processes used by Firefox.
 +
 
 +
= Reporting Bugs =
 +
 
 +
To file a Fission bug in Bugzilla, [https://bugzilla.mozilla.org/enter_bug.cgi?product=Core&bug_type=defect&short_desc=%5bFission%5d&blocked=fission-dogfooding click here to use this Fission bug template]. Or file a bug and include the word “Fission” in the bug summary. The Fission team’s bug triage will find the bug, regardless of which Bugzilla component you file it in.
 +
 
 +
* Fission meta {{bug|1451850}}
 +
* [https://bugzilla.mozilla.org/buglist.cgi?classification=Client%20Software&classification=Developer%20Infrastructure&classification=Components&classification=Server%20Software&classification=Other&f1=cf_fission_milestone&resolution=---&o1=anywordssubstr&query_format=advanced&v1=M4.1%2CM5%2CM6 All bugs blocking Fission Nightly]
 +
 
 +
= Enabling Fission =
 +
 
 +
[[File:Fission tab tooltip.png|thumb|A "[F]" in a loaded tab's tooltip indicates that Fission is enabled]]
 +
 
 +
Fission was released to desktop [https://www.mozilla.org/firefox/95.0/releasenotes/ Firefox in version 95].
 +
 
 +
# In ''about:config'', set the '''"fission.autostart"''' and '''"gfx.webrender.all"''' prefs to '''"true"'''. DO NOT edit any other "fission.*" or "gfx.webrender.*" prefs.
 +
 
 +
You can verify that Fission has been enabled by hovering over the current tab. If the tooltip contains a "[F]", Fission is enabled. Background tabs' tooltips might not have the "[F]" if they are not loaded yet.
 +
 
 +
=== Disabling Fission ===
 +
 
 +
If you encounter an issue while using Fission, it can be useful to create a new profile in about:profiles and attempt to recreate the issue. This can be useful to determine if issues are Fission-specific. If you encounter an issue that only happens with Fission, please be sure to file a bug in Bugzilla about it as described above!
 +
 
 +
To disable Fission, set the "fission.autostart" pref to "false" and restart Firefox.
 +
 
 +
= Sub-pages =
  
 
* [[Project Fission/Memory|Memory]]
 
* [[Project Fission/Memory|Memory]]
Line 131: Line 50:
 
* [[Project_Fission/Enabling_Tests_with_Fission|Enabling Tests with Fission]]
 
* [[Project_Fission/Enabling_Tests_with_Fission|Enabling Tests with Fission]]
 
* [[Project Fission/DocShell_Tree_Replace|Fix out-of-process uses of DocShell tree and nsIDocShellTreeItem]]
 
* [[Project Fission/DocShell_Tree_Replace|Fix out-of-process uses of DocShell tree and nsIDocShellTreeItem]]
 
+
* [[Project Fission/BrowsingContext|In progress BrowsingContext documentation]]
===Find us on Slack===
 
* #fission
 
* [https://docs.google.com/spreadsheets/d/1jwYDrq0FDD0qNEN_-SXxgOAtaj15hGfH4Xna1v4qrec/edit#gid=705986634 RASCI (Mozilla only)]
 

Latest revision as of 16:59, 17 March 2022

Fission is Mozilla's implementation of Site Isolation in Firefox. Site Isolation is a security feature that offers additional protection in case of large classes of security bugs. Site Isolation safely sandboxes web pages and web frames, isolating them from each other, further strengthening Firefox security.

Why?

Web security is designed in such a way that websites or webframes cannot access each other's data inside the browser. However, bugs happen. The Firefox teams and the Mozilla security teams invest considerable effort in avoiding security bugs, or, if they exist, finding them out and fixing them before release. However, if a bug somehow slips past developers, analysis and tests, and a sufficiently cunning attacker manages to find the bug before it can be fixed, they can sometimes craft a page specifically designed to access data from other sites that the user is currently visiting or has recently visited.

Firefox developers already employ a number of counter-measures to make such undetected bugs less likely to succeed, from programming in memory-safe languages to adopting defensive programming techniques. Site Isolation is a new counter-measure dedicated to this purpose. With Site Isolation, pages and frames are executed in processes dedicated to their origin.

Example

Consider a blog on https://example.com with a Facebook like button (frame from https://facebook.com) and a Twitter button (frame from https://twitter.com). Without Site Isolation, this entire page runs in a single process. If an undetected bug in Firefox somehow allows the main page of the blog to access data inside the frames despite the protections in place, the malicious owner of https://example.com (or someone who had already stolen the domain) may be able to take advantage of this bug to impersonate the Firefox user in the Facebook and Twitter frames, and possibly use this impersonation to send fake messages or read private messages.

With Site Isolation, this blog now runs on three different processes, one for https://example.com, one for https://facebook.com and one for https://twitter.com. These processes are sandboxed which limits what each of the processes can do. Even if the malicious owner of https://example.com were to take advantage of an undetected Firefox bug and to take control of the process in charge of https://example.com, the processes in charge of https://facebook.com or https://twitter.com would reject any request from this compromised process. In other words, this hypothetical bug is not sufficient anymore to impersonate the Firefox user in the Facebook and Twitter frames.

Contact

The Fission team is standing by, ready to answer your questions in the #fission:mozilla.org room on Mozilla's Matrix server.

Observing Fission

In desktop Firefox, you may open about:processes to see the processes used by Firefox.

Reporting Bugs

To file a Fission bug in Bugzilla, click here to use this Fission bug template. Or file a bug and include the word “Fission” in the bug summary. The Fission team’s bug triage will find the bug, regardless of which Bugzilla component you file it in.

Enabling Fission

A "[F]" in a loaded tab's tooltip indicates that Fission is enabled

Fission was released to desktop Firefox in version 95.

  1. In about:config, set the "fission.autostart" and "gfx.webrender.all" prefs to "true". DO NOT edit any other "fission.*" or "gfx.webrender.*" prefs.

You can verify that Fission has been enabled by hovering over the current tab. If the tooltip contains a "[F]", Fission is enabled. Background tabs' tooltips might not have the "[F]" if they are not loaded yet.

Disabling Fission

If you encounter an issue while using Fission, it can be useful to create a new profile in about:profiles and attempt to recreate the issue. This can be useful to determine if issues are Fission-specific. If you encounter an issue that only happens with Fission, please be sure to file a bug in Bugzilla about it as described above!

To disable Fission, set the "fission.autostart" pref to "false" and restart Firefox.

Sub-pages