Tab Isolation


Tab isolation has recently become a more popular topic. This post is a quick survey of what tab isolation is, how it works, and what it provides.

What is it?

Tab isolation is a way to improve a browser’s reliability by containing the impact of a crash. Depending on how it’s implemented, tab isolation can also help contain some security attacks. There are two different implementations available today, each with different benefits.

In a tabbed browser without isolation, a problem in one tab can crash the entire browser. For example, a crash in a webpage in Firefox 3.6 or IE7 will bring down the entire browser. While modern browsers have features to recover tabs after a crash, the point of isolation is to contain the problem and prevent the browser from stopping. You can see a demo of this here (starting around 13:25). 

A Quick Historical Survey

On March 5, 2008, Microsoft released the first IE8 beta with Loosely-Coupled IE (or LCIE for short). This was the first mainstream implementation of tab isolation. On September 2, 2008, Google Chrome’s first beta released with “process isolation.” Mozilla Firefox has recently discussed an “Out of Process Plugins” (OOPP) or Electrolysis project aimed at isolating Firefox plug-ins, such as Flash, from the rest of the browser.

How do isolation approaches differ today in approach and benefits?

There are a lot of different subsystems in a browser to isolate from each other, and different ways to do it.

IE8 isolates the frame process (title bar, back button, address bar, etc.) from the tabs processes (that show web pages). If anything causes a site to crash (an extension like Flash, or the rendering or scripting engine, etc.), the frame and other tab processes will not crash. IE isolates the whole tab – all of its code, data, and extensions – to keep IE resilient to webpages with issues.

In addition to using multiple processes, IE8 on Windows 7 and Vista (and IE7 on Vista) sandboxes the tab processes in Protected Mode for security reasons. Specifically, tabs run without permissions to install software, modify settings, or change files of any user. Protected Mode provides defense in depth so that (in most cases) security vulnerabilities in the browser or an add-on (like Flash) cannot be exploited to harm the computer. Isolation makes this additional security possible. (Technically, there are several different types of isolation (process isolation, origin isolation, etc.), and of sandboxing (integrity levels, restricted subsets, DOM mirroring, etc.) as well.)

Chrome’s isolation is a bit different, factoring the different subsystems of that browser along different lines. From their documentation, they have separate processes for rendering, for the frame, and for add-ons (native plug-ins, not extensions). As with IE7, part of Chrome runs with lower privilege. Unlike IE (where page add-ons run in low), plugins in Chrome by default run with more privileges. As with any architectural difference, there are scenarios that are better in one architecture and worse in another. Theoretically, for example, a vulnerability in the Flash control running in Chrome does not have a defense in depth protection like Protected Mode to contain it.

Isolation is a super important part of modern browsers.  It’s essential for delivering a more reliable browsing experience. It can also improve security. Depending on how it’s engineered, it can also have an impact on compatibility with sites and browser extensions.

Andy Zeigler
Program Manager

Comments (40)

  1. Anonymous says:

    @Andy Zeigler [MSFT]

    findText in text range: IE6, IE7 and IE8 will crash

    http://www.gtalbot.org/BrowserBugsSection/MSIE8Bugs/crash-ie8-findtext-in-range.html

    There can not be a rational explanation as to why this crash bug will not be fixed for IE9. That particular bug had been publicly reported months ago, in broad daylight, months before IE8 was RTW.

    http://www.w3.org/Style/CSS/Test/CSS2.1/20100127/html4/universal-selector-005.htm

    Who exactly is saying that IE8 passes all testcases submitted to CSS 2.1 test suite? There can not be a rational explanation as to why such crash bug (reported fair and square: bug 427231) will not be fixed for IE9.

    Application hang, CPU maximized: bug 414807 ( https://connect.microsoft.com/IE/feedback/ViewFeedback.aspx?FeedbackID=414807 ) Reported before IE8 RTW with all the relevant steps, entirely reproducible.

    Application hang, CPU maximized: bug 366200 ( https://connect.microsoft.com/IE/feedback/ViewFeedback.aspx?FeedbackID=366200 ). Reported several months before IE8 RTW with all relevant steps, entirely reproducible.

    Page gets entirely blank: http://www.w3.org/Style/CSS/Test/CSS2.1/20100127/html4/max-height-106.htm

    There are other crash bugs and application hang (CPU maximized; caused by infinite reflow loop) bugs afflicting IE8, publicly reported with steps and/or testcases.

    Gérard Talbot

  2. Daniel says:

    Two notes here: first, the link for "process isolation" in Chrome links to a reference rather than to the appropriate section. Also, this reference is conveniently about LCIE ;)

    Second, you say Chrome has processes for "add-ons (native plug-ins, not extensions)". Maybe the specific part of the documentation you read is outdated, but Chrome extensions can also have their own processes — any extension that has state outside isolated tabs (i.e., anything more than Greasemonkey-like extensions) will have its own process.

  3. Don Reba says:

    The cost of tab isolation in IE8 is too high. It takes seconds just to open a new empty tab. Also, it causes problems with plugins. Consequently, I keep tab isolation switched off.

  4. Matt says:

    @Don: It’s not tab isolation, it’s your addons. New tabs will open in less than 1/3 second without them.

    I have yet to find a plugin that has a problem with tab isolation, although poorly written Java applets will not be able to communicate from tab-to-tab. Given that IE8 has hundreds of millions of users, it’s clear that there’s no widespread problem with tab isolation.

    @Daniel: Yeah, binary extension processes are new to Chrome 4.0, but it makes no difference, the binary extension process runs at user-trust and thus exploit remains dire.

  5. Brenda L'Fure says:

    Off post topic question: any advance in passing ACID 3 tests? Please, keep us informed about your work in this area.

    Thanks IE team!

  6. Don Reba says:

    Matt, if tab isolation was slowing down plugins, it would still be at fault. However, this is not the case for me. It also performs miserably with SpyBot-generated restricted site lists.

    A big addon that does not work with tab isolation is IE7Pro.

  7. "Tab isolation is a way to improve a browser’s reliability by containing the impact of a crash. (…)

    Isolation is a super important part of modern browsers."

    Why not, in the first place, fix known, filed, reported, documented, entirely reproducible, testcase-ed application crash bugs and hang bugs occuring in IE8?

    Having an explosive air bag in case of car collision is a nice feature but fixing the breaking system or the gaz/acceleration pedal (electronically controlled) is going to be a lot more relevant, you see, for your customers and everyone involved and it should come first, should be top priority.

    Gérard Talbot

  8. John says:

    Gerard, it’s obvious that you’re not the developer of large software systems. It’s also obvious that you’ve somehow missed the message that the majority of browser crashes are caused by browser plugins, which the IE team isn’t in a position to fix on Adobe’s/Sun/Real/Apple’s behalf.

    Stick to complaining about web standards.

  9. Matt says:

    @Don: No, if you gunk up your browser with slow addons, that’s either the fault of your addons, or you, for installing such things. Having the first tab be stupid slow and the next one be fast is hardly better than having them all be stupid slow.

    SpyBot’s zone-spamming is worse than useless and has no security value. You should turn it off.

    I stopped using IE7Pro years ago… it’s got some fun features, but they hack into undocumented things and are pretty crashy even on IE7.

  10. Don Reba says:

    Matt, the choices between tab isolation and SpyBot and between tab isolation and IE7Pro are actually very easy. The day I am not able to use an effective ad block with IE will be the day I switch to another browser.

  11. Will says:

    Google Chrome crashes on me a lot, using v5 dev of course. ;)

    Sadly the browser has to be recovered not just the tab that crashed.

    IE 8 is way better at this in my experience.

  12. Daniel says:

    @Matt: I seriously doubt the problem with IE’s tab creation time is related to add-ons. On a clean install of Windows 7, IE 8 is still slow starting a new tab. In fact, Other browsers (Firefox and Chrome) are faster at creating new windows than IE is at creating a new tab. And I have 15 extensions installed on Firefox.

    IE’s empty tab creation has always been slow to me, since the IE7 days. I don’t recall ever seeing it perform anywhere as close to other browsers on any computer I’ve ever seen it run, no matter its hardware specs.

  13. Ooh says:

    @Daniel: My experience is exactly the opposite. IE8 tabs open up blindingly fast after a clean install – unfortunately I have to enable the Java plugin for some websites which makes IE awfully slow :(

  14. Eric says:

    How could we have the same behavior for the WebCtrl.

    A lot of custom applications are using the IE WebCtrl embedded in their code.

    It will be very useful to have the isolation for improving security and reliability

  15. Paul S says:

    @Don, well I just opened a new tab in IE8 and it opened before I got chance to count to 1. I think it’s a problem with your setup.

  16. sean says:

    I think we’ve had these discussions over and over.

    Tab creation time in IE8 is ridiculously slow – and it doesn’t matter if you have 10 addons running, all disabled or none installed.

    If IE can’t load blank tabs in 1/4 second or less (REGARDLESS HOW MANY ADDONS ARE INSTALLED) then IE FAILED. YES IE FAILED.

    If your architecture is so weak that opening a new tab cripples your browser then YOU NEED TO FIX YOUR ARCHITECTURE!

    I have 37 addons installed in Firefox and I can open a new tab as fast as I can blink.

    There is no excuse for IE not to be able to do the same.  Stop blaming the addon developers and fix the IE architecture!

  17. Klimax says:

    I have seen FF tab speed below IE yet no extensions.

    Anyway not only extensions matter,but what programms are installed. If you have Spybot,Tortoise SVN,GIT,Hg and Bazaar and one AV then speed will be far below average…

    What I measrued I had new tab around 101ms when on blank page and 300-400 ms when regular webpage.

    As far as I can say those who complain about slow tabs(any tabbed browser) need to examing details of system and go far below surface. There are too many ways how to shoot performance and many are outside of browser-creator’s  control.

    And AFAIK every tab has its own instance of extensions,that’s why number and quality of extensions matter.

  18. George Wurst says:

    The Mozilla guys had the idea of plugin process isolation quite some time now, even before Google Chrome became public.

    The Chrome guys stated that there were forced to run plugin processes with higher privileges because of compatibility problems.

    Extensions in Chrome (in JavaScript) also have their own process.

  19. Don Reba says:

    > If you have Spybot,Tortoise SVN,GIT,Hg and Bazaar and one AV then speed will be far below average…

    I have 5/7. Chrome opens new tabs instantly.

  20. Klimax says:

    I have 5/7. Chrome opens new tabs instantly.

    Does it create new process for new tab?(Forgot)

    AFAIK: New threads are not affected,but when new process is created it causes heavy activity – like by Teatimer ; even disk activity – Tortoise (fitting)

    ===

    I forgot a reason: "Spamming" of restricted zone by Spybot.

    ====

    I should run Process monitor again to see activity as current Win7 has slow tab creation while main computer (XP) is fast.

  21. frymaster says:

    "If IE can’t load blank tabs in 1/4 second or less (REGARDLESS HOW MANY ADDONS ARE INSTALLED) then IE FAILED. YES IE FAILED."

    so if I create a plugin that deliberately has a 10-second pause while loading, and it takes 10 seconds for the plugin to load, that’s IE’s fault?

  22. hd says:

    I had about 15 tabs open in an xp system with 512 mb memory(so naturally memory is very tight ). I closed all tabs except 1 ,but IE still had about 4 iexplore processes running in the background.WHY DOESN’T IE8 release resources immediately when not needed?

  23. Daniel says:

    @Paul S: "before I got chance to count to 1" is still slow in my books. Firefox is right now consuming 446 MB here, with several tabs across two windows, and tabs open instantly. Chrome and Opera are also instant.

    @Klimax: here’s my full list of installed applications when I tested:

    - Windows 7 64-bit Home Premium default install

    An earlier test case on the same computer:

    - Windows Vista 64-bit default install

    Yet another, from late 2007:

    - Windows XP Professional 32-bit default install (IE7)

    All these three times, I had the same thought: "this is a perfectly clean Windows install on a 2 GHz Core 2 Duo with 2 GB of RAM, it’s simply impossible IE’s tab startup will suck!"

    Yet it failed me, time after time. It might not take several seconds anymore, but given the competition, anything where I have to wait after pressing Ctrl-T before typing an URL is frustratingly slow. Seeing IE saying "Connecting…" for a blank tab is bull.

    As a curiosity, I tried searching on YouTube for videos of IE spawning new tabs quickly, any version. Couldn’t find any, while there are plenty showing how slow it is (taking as much as 10 seconds for some), and many giving hints on how to speed it up (but never demonstrating how fast it can get, unfortunately).

  24. EricLaw [MSFT] says:

    @Daniel: What AV program do you use? Some hook deeply into IE while doing nothing in other browsers. Unfortunately, that can hurt performance.

    As for the question of videos… last time this conversation came up (early last year) I took a quick capture of one of my computers which has a few well-written addons enabled (e.g. Ralph Hare’s Mouse Gestures and a few I wrote); I posted the low-quality video here: http://www.enhanceie.com/ie/newtab.wmv

  25. frank says:

    @frymaster – if an IE plugin takes 10 seconds to initialize the plugin is garbage.

    So there is actually 2 problems with IE addons right now.

    1.) They are loaded automatically for every new tab regardless if they are needed or not (IE design bug)

    2.) Addon developers are not being smart with their code to first check the page url before loading/doing any initialization.

    e.g. when IE opens a new tab "about:blank" or "about:tabs" all addons should (a) Not be initialized (IE bug) and (b) if they are (e.g. MSFT doesn’t fix their design) then the addons should check the URL first… if not a "real" url (e.g. not "about:blank" or "about:tabs" etc.) then it should immediately abort initialization and return.

    However the most important item is (c).

    =======================================

    =======================================

    (c) Before IE loads **ANY** addon code whatsoever, it should fully load the new tab, focus the address bar and THEN AND ONLY THEN, initialize addons in a separate thread (e.g. do not lock up the browser and stop me from typing a new url etc.)

  26. Chris says:

    Here is an interesting article… oddly enough, from the same blog.  

    http://blogs.msdn.com/ie/archive/2009/07/18/how-to-make-ie-open-new-tabs-faster.aspx

    Posted a while back, but maybe helpful for further testing on your slowness issues.  My tabs ordinarily open up immediately in both IE7 and IE8.  Although I do run across a lot of websites that are just horribly coded.

  27. Klimax says:

    @Daniel (Funny,my first name as well..)

    Interesting about 64b XP. Was that 32 or 64 version of IE?

    What could  be otherwise difference since I have XP 32 – fast tabs and until recently Win7 32 fast as well.

    Maybe analysis of Process Monitor log would be able to show resource hog or larger operations on registry and/or network.(i take it there is not much HDD activity)

    ====

    Issue seems to be somewhat strange as similar complement of programms yelds different results.

    As for YT videos,why to bother making video about normal operation? But one should be wary if video capture wasn’t slowing PC too much.

  28. Kevin says:

    @Klimax – I use Tortoise SVN but had no idea it makes IE8’s tabs slow!

    Can you clarify why it makes it slow or provide a link to more details.

    thanks.

  29. Phil says:

    @Matt – I’ve done several clean installs of Windows (XP, Fista and Win 7) with IE 7 and IE 8, no plugins, and had tabs take 2 seconds to open.  I don’t know why some people have the issue and others not, but just telling people "it’s your setup with your plugins" isn’t always the case.

  30. Aryeh Gregor says:

    A couple of points about Chrome:

    1) Chrome processes are sandboxed much more heavily than just Low isolation.  According to <http://dev.chromium.org/developers/design-documents/sandbox&gt;, they use Low isolation if on Vista, but also have a very restrictive security token, run as a Job object, and run as an alternate desktop.  IE renderer processes can’t write to user files, but Chrome renderer processes can do virtually nothing at all (even on XP, where IE8 runs with normal privileges — right?).

    2) In reply to Matt: "Yeah, binary extension processes are new to Chrome 4.0, but it makes no difference, the binary extension process runs at user-trust and thus exploit remains dire."  This is not true.  See <http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-185.pdf&gt; for a discussion of Chrome’s extension security model.

    Chrome extensions that want to execute arbitrary code must explicitly say that in their manifest.  If an extension does say that, then 1) it won’t be put up on Google’s extension gallery unless the developer signs a contract with Google, and 2) if the user tries to install it from a third-party site, the UI will be the same as for downloading an executable.

    This strongly encourages extensions to not request arbitrary code execution rights, so in practice, the overwhelming majority of Chrome extensions cannot execute arbitrary code (unlike IE or Firefox extensions).

  31. alienRancher says:

    Aryeh brings a good point, since most windows users are still running XP, then most user are worse off security wise running IE8 than running Chrome.

    Andy Zeigler, do you agree?

  32. Matt says:

    @Aryeh Gregor: You’re proving that a little knowledge can be a dangerous thing. First off, let me state that I like Chrome’s extension model; they did good work by virtue of being able to start from a fairly blank slate and from learning from the experiences of others.

    However, by echoing the talking points of Google’s marketing, you’re doing a disservice to the truth. The truth is that most web add-on vulnerabilities are in browser add-ons that will run with full user-trust in Chrome (specifically Flash). There’s currently no capability in Chrome to say "Run my binary extension in the sandbox" so even if Flash wanted to move, they couldn’t. Chrome has a cmdline extension to force ALL addons into the sandbox, but this breaks most of them.

    All of your discussion of the gallery and so forth is a red-herring… those mechanisms are about trying to block MALICIOUS browser extensions, while the threat under discussion is the risk of VULNERABLE browser extensions.

  33. Matt says:

    @alienRancher: Chrome is a good browser, although their protection against phishing and download of malware is weak. So, most users are probably more secure from the most common attacks with IE8.

    While it’s true that Chrome does what it can to protect users on XP, the truth is that the mechanisms they’re using all have holes in them. Why? Because XP doesn’t have kernel-enforcement of the features they’re using as a security mechanism. That’s why Microsoft didn’t try to port protected mode to XP– they needed the security provided by new work done in the kernel.

  34. Klimax says:

    @Kevin:

    I have been trying for several hours to capture PM log where it happens,but I couldn’t just get new process. So I’ll try again at least with new instance (frame,tab) and we’ll see.

    As for links,I don’t have any,I saw it while hunting down a problem, but never got around to see definitely.

    Once I get PM logs,I can post links to them.

    (So far I have 4 and they show interesting things – like it looks like registry/dll loading is consuming majority of time;if no error in analysis)

  35. Klimax says:

    Tortoise:

    Looks like it was only coincidental. But good excludes/includes can improve performance as cache process won’t generate that much activity and RAM usage while going through directories woll see reduced delays as Tortoise won’t check those under excludes.

    Ok.Sorry,looks like I was mistaken…

    (Only few ms more or less)

  36. Aryeh Gregor says:

    @Matt: I didn’t say anything about plug-ins, only extensions.  I use the terms the way Firefox does: plug-ins are things like Flash that use the NPAPI, and extensions are things that use browser-specific interfaces.  I guess IE doesn’t support the NPAPI, so maybe there’s no difference for it?  But there is for all the other browsers.  You said "binary extension processes are new to Chrome 4.0", and I assumed you meant extensions, not plug-ins.

    Anyway, Chrome doesn’t sandbox plug-ins last I heard, that’s true.  I don’t know why it doesn’t at least run them in low integrity mode on Windows — if IE8 can do it without breaking them, why can’t Chrome?  I was only talking about extensions (which are certainly a much smaller share of vulnerabilities).

    As for Chrome sandboxing not being secure on XP, do you have any evidence to back that up?  Are you aware of any exploits in Chrome’s sandbox on XP that an attacker could leverage?  All the Chrome documentation suggests that they rely on a variety of features, not just Vista-specific ones — like giving it an almost zero security token.  I don’t know much about Windows, but security tokens have been around since the dawn of NT, haven’t they?

  37. full disclosure says:

    Rather than blame rouge addons for poor IE performance (which is getting real tired!) try helping out the end users with some actual stats for start times for various common addons (say the top 40)

    That way end users can make an informed decision as to which addons are slow and if they really need them.

    e.g. if the Bing toolbar is causing IE to be really slow then we can uninstall it (or poke MSFT for a patch)

    if the IE dev tools are slowing it down we can uninstall them.

    ultimately we all want a fast browser – hence the mass exodus to Firefox, Chrome and Opera over the past 3-4 years.

    if IE continues to have performance issues there are only 2 outcomes.  1.) the cause is fixed or worked around or 2.) users switch to a better browser.

    I don’t have any video tools on my PC to record the new tab speed but I assure you it is slower than any tab based browser i’ve ever used.

  38. wechrome says:

    @Aryeh Gregor,

    "In reply to Matt…"

    I think by "binary extension" and "native plug-in", they are not referring to Chrome extensions, but plug-ins like Flash, Java, Silverlight, etc. etc. which Google admits that those plug-ins are not sandboxed for compatibility reasons.

    @Ooh,

    "My experience is exactly the opposite."

    by "opposite", do you mean that after a clean install, you see IE opening new tabs faster than Firefox, Chrome and Opera? Or do you just mean you think IE open up new tab fast, but didn’t compare it with other browsers?

    Really, if you don’t compare it with other browsers, you may think IE is fast, like opening up a new tab with half a second is already fast. but if you use other browsers that can open up new tabs within 1/10 of a second, you will realize that IE is quite slow, compared to the competitors that is.

  39. Pete says:

    My problem with Tab Isolation is that while it sounds good, in practice it doesn’t keep a bad page from bringing down the whole IE window and other tabs. I was reading this post when I went to espn.com. The entire IE window hung and I had to close it. When it restarted, it offered to reload the last session, I said yes…but it tried to reload espn.com and the whole window hung up again. Next time, I told it to just go to my home page.

    The thing is, that’s how pretty much all my IE crashes go. Some site causes a hang, and the whole window comes down. Sometimes an IE restart and reloading the last session brings things back and the problematic tab loads fine. In general, though, this is not the case, and the scenario above holds–I eventually have to give up and start from a single tab window at my home page.