Project Fission

From MozillaWiki
Jump to: navigation, search

Fission is Mozilla's implementation of Site Isolation in Firefox. Site Isolation is a security feature that offers additional protection in case of large classes of security bugs. Site Isolation safely sandboxes web pages and web frames, isolating them from each other, further strengthening Firefox security.

The easiest way to enable or disable Fission:

  1. Open Firefox Nightly's preferences: Open the Hamburger menu.
  2. Select the "Preferences" or "Options" menu item.
  3. Select the "Nightly Experiments" menu.
  4. Check or uncheck the "Fission (Site Isolation)" checkbox.
  5. Restart Firefox Nightly.

Why?

Web security is designed in such a way that websites or webframes cannot access each other's data inside the browser. However, bugs happen. The Firefox teams and the Mozilla security teams invest considerable effort in avoiding security bugs, or, if they exist, finding them out and fixing them before release. However, if a bug somehow slips past developers, analysis and tests, and a sufficiently cunning attacker manages to find the bug before it can be fixed, they can sometimes craft a page specifically designed to access data from other sites that the user is currently visiting or has recently visited.

Firefox developers already employ a number of counter-measures to make such undetected bugs less likely to succeed, from programming in memory-safe languages to adopting defensive programming techniques. Site Isolation is a new counter-measure dedicated to this purpose. With Site Isolation, pages and frames are executed in processes dedicated to their origin.

Example

Consider a blog on https://example.com with a Facebook like button (frame from https://facebook.com) and a Twitter button (frame from https://twitter.com). Without Site Isolation, this entire page runs in a single process. If an undetected bug in Firefox somehow allows the main page of the blog to access data inside the frames despite the protections in place, the malicious owner of https://example.com (or someone who had already stolen the domain) may be able to take advantage of this bug to impersonate the Firefox user in the Facebook and Twitter frames, and possibly use this impersonation to send fake messages or read private messages.

With Site Isolation, this blog now runs on three different processes, one for https://example.com, one for https://facebook.com and one for https://twitter.com. These processes are sandboxed which limits what each of the processes can do. Even if the malicious owner of https://example.com were to take advantage of an undetected Firefox bug and to take control of the process in charge of https://example.com, the processes in charge of https://facebook.com or https://twitter.com would reject any request from this compromised process. In other words, this hypothetical bug is not sufficient anymore to impersonate the Firefox user in the Facebook and Twitter frames.

Contact

The Fission team is standing by, ready to answer your questions in the #fission:mozilla.org room on Mozilla's Matrix server.

Observing Fission

In Firefox Nightly, you may open about:processes to see the processes used by Firefox. As the rest of Fission, about:processes is currently considered experimental.

Reporting Bugs

To file a Fission bug in Bugzilla, click here to use this Fission bug template. Or file a bug and include the word “Fission” in the bug summary. The Fission team’s bug triage will find the bug, regardless of which Bugzilla component you file it in.

Known Issues

  • Some extensions might not work fully. But please file bugs if you find an extension that doesn't work!
  • Cross-site iframes appear empty when printed.
  • Cross-site iframes appear empty in screenshots.
  • Documents with cross-site iframes cannot enter the BFCache.
  • Session history is not tracked for cross-site iframes.
  • Session restore occasionally fails to restore page state, such as page zoom, scroll offset, or form data.
  • DevTools support for cross-site iframes with fission is incomplete (read more).
  • Attempting to debug extensions or workers from a non-fission window can cause crashes.
  • Linux resource exhaustion issues with large tab counts, including:
    • Excessive memory usage
    • File descriptor exhaustion issues
    • X11 connection exhaustion on Linux (bug 1635451)

Enabling Fission

A "[F]" in a loaded tab's tooltip indicates that Fission is enabled

Fission is still in active development, and can only be enabled in Firefox Nightly.

  1. In about:config, set the "fission.autostart" and "gfx.webrender.all" prefs to "true". DO NOT edit any other "fission.*" or "gfx.webrender.*" prefs.
  2. Restart Nightly.

You can verify that Fission has been enabled by hovering over the current tab. If the tooltip contains a "[F]", Fission is enabled. Background tabs' tooltips might not have the "[F]" if they are not loaded yet.

Disabling Fission

Opening a new non-fission window

If you encounter an issue while using Fission, it is possible to open a non-fission window within the same browsing session using the "New Non-Fission Window" item in the hamburger menu. This can be useful to determine if issues are Fission-specific, or to work around fission-specific breakage.

To disable Fission, reset the "fission.autostart" pref back to "false" and restart Nightly.

Sub-pages