Skip to content

Add WebContent process isolation between contexts#1

Open
seadanda wants to merge 1 commit intoreplghost:mainfrom
seadanda:feat/process-isolation
Open

Add WebContent process isolation between contexts#1
seadanda wants to merge 1 commit intoreplghost:mainfrom
seadanda:feat/process-isolation

Conversation

@seadanda
Copy link
Copy Markdown

@seadanda seadanda commented Mar 12, 2026
edited
Loading

Summary

Each browsing context (Work, Personal, etc.) now gets a dedicated WKWebsiteDataStore keyed by a stable UUID, ensuring separate WebContent OS processes per context. This prevents cross-context cookie/storage/cache leakage — even through renderer exploits.

What changed

settings.rs — UUID infrastructure + migration

  • DEFAULT_STORE_UUID constant for the shared default context
  • generate_store_uuid() using OS CSPRNG via getrandom (collision-resistant)
  • parse_store_uuid() / format_store_uuid() for hex encoding
  • SessionContext.store_uuid: Option field with serde default
  • data_store_uuid() -> parse-only Option<[u8; 16]> (fail-closed on malformed hex)
  • Migration in SettingsGlobal::load() repairs missing and malformed UUIDs

tabs.rs — WebView creation wiring

  • WebViewTab::new() accepts store_uuid: Option<[u8; 16]>, calls builder.with_data_store_identifier(uuid) via WebViewBuilderExtDarwin
  • Fail-closed isolation: store_uuid.is_none() -> incognito (covers private tabs, deleted contexts, macOS <14)
  • macos_14_or_later() runtime gate — older macOS degrades to incognito with log warning
  • Context creation in Settings UI generates UUID at creation time

workbench.rs — Context resolution + all call sites

  • resolve_store_uuid() maps context_id -> UUID bytes (None -> None, "default" -> fixed UUID, named -> from settings)
  • Unknown/deleted contexts return None -> fail to incognito (not shared default store)
  • isolated_tabs now takes precedence over named contexts (privacy-first)
  • All 5 WebView creation paths wired: open_webview, open_webview_background, "Open in Context" menu, "Open Private" menu, restore_session

Security model

Tab type Data store Process isolation
Default (no context) DEFAULT_STORE_UUID Shared persistent store
Named context (Work, Personal) Per-context UUID Separate WebContent process
Private tab nonPersistentDataStore Separate, ephemeral
Deleted/unknown context Falls to incognito Fail-closed
macOS <14 Degrades to incognito Fail-closed

@seadanda
feat: per-context WebContent process isolation via WKWebsiteDataStore
075de92 
Each browsing context (Work, Personal, etc.) now gets a dedicated
WKWebsiteDataStore keyed by a stable UUID, ensuring separate WebContent
OS processes per context. Prevents cross-context cookie/storage/cache
leakage even through renderer exploits.

- CSPRNG UUID generation via getrandom (collision-resistant)
- Fail-closed: unknown/deleted contexts fall to incognito
- macOS 14+ runtime gate (older macOS degrades to incognito)
- isolated_tabs takes precedence over named contexts
- Migration repairs missing or malformed store_uuid hex strings
- 13 new unit tests for UUID generation, parsing, serde, context resolution
- All 5 WebView creation paths wired: open_webview, open_webview_background,
  Open in Context menu, Open Private menu, restore_session
@seadanda seadanda changed the title feat: per-context WebContent process isolation via WKWebsiteDataStore Add WebContent process isolation between contexts Mar 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@seadanda