ladybird/Libraries/LibWebView/SiteIsolation.cpp

/*
 * Copyright (c) 2025, Tim Flynn <trflynn89@ladybird.org>
 *
 * SPDX-License-Identifier: BSD-2-Clause
 */

#include <LibURL/URL.h>
#include <LibWeb/Fetch/Infrastructure/URL.h>
#include <LibWeb/HTML/BrowsingContext.h>
#include <LibWebView/SiteIsolation.h>

namespace WebView {

static bool s_site_isolation_enabled = true;

void disable_site_isolation()
{
    s_site_isolation_enabled = false;
}

bool is_url_suitable_for_same_process_navigation(URL::URL const& current_url, URL::URL const& target_url)
{
    if (!s_site_isolation_enabled)
        return true;

    // Allow navigating from about:blank to any site.
    if (Web::HTML::url_matches_about_blank(current_url))
        return true;

    // Allow cross-scheme non-HTTP(S) navigation. Disallow cross-scheme HTTP(s) navigation.
    auto current_url_is_http = Web::Fetch::Infrastructure::is_http_or_https_scheme(current_url.scheme());
    auto target_url_is_http = Web::Fetch::Infrastructure::is_http_or_https_scheme(target_url.scheme());

    if (!current_url_is_http || !target_url_is_http)
        return !current_url_is_http && !target_url_is_http;

    // Disallow cross-site HTTP(S) navigation.
    return current_url.origin().is_same_site(target_url.origin());
}

}
LibWeb+LibWebView+WebContent: Begin implementing simple site islotation Site isolation is a common technique to reduce the chance that malicious sites can access data from other sites. When the user navigates, we now check if the target site is the same as the current site. If not, we instruct the UI to perform the navigation in a new WebContent process. The phrase "site" here is defined as the public suffix of the URL plus one level. This means that navigating from "www.example.com" to "sub.example.com" remains in the same process. There's plenty of room for optimization around this. For example, we can create a spare WebContent process ahead of time to hot-swap the target site. We can also create a policy to keep the navigated-from process around, in case the user quickly navigates back. 2025-03-09 11:40:34 -04:00			`/*`
			`* Copyright (c) 2025, Tim Flynn <trflynn89@ladybird.org>`
			`*`
			`* SPDX-License-Identifier: BSD-2-Clause`
			`*/`

			`#include <LibURL/URL.h>`
			`#include <LibWeb/Fetch/Infrastructure/URL.h>`
			`#include <LibWeb/HTML/BrowsingContext.h>`
			`#include <LibWebView/SiteIsolation.h>`

			`namespace WebView {`

LibWebView+WebContent: Add a command-line flag to disable site isolation 2025-03-11 19:25:34 -04:00			`static bool s_site_isolation_enabled = true;`

			`void disable_site_isolation()`
			`{`
			`s_site_isolation_enabled = false;`
			`}`

LibWeb+LibWebView+WebContent: Begin implementing simple site islotation Site isolation is a common technique to reduce the chance that malicious sites can access data from other sites. When the user navigates, we now check if the target site is the same as the current site. If not, we instruct the UI to perform the navigation in a new WebContent process. The phrase "site" here is defined as the public suffix of the URL plus one level. This means that navigating from "www.example.com" to "sub.example.com" remains in the same process. There's plenty of room for optimization around this. For example, we can create a spare WebContent process ahead of time to hot-swap the target site. We can also create a policy to keep the navigated-from process around, in case the user quickly navigates back. 2025-03-09 11:40:34 -04:00			`bool is_url_suitable_for_same_process_navigation(URL::URL const& current_url, URL::URL const& target_url)`
			`{`
LibWebView+WebContent: Add a command-line flag to disable site isolation 2025-03-11 19:25:34 -04:00			`if (!s_site_isolation_enabled)`
			`return true;`

LibWeb+LibWebView+WebContent: Begin implementing simple site islotation Site isolation is a common technique to reduce the chance that malicious sites can access data from other sites. When the user navigates, we now check if the target site is the same as the current site. If not, we instruct the UI to perform the navigation in a new WebContent process. The phrase "site" here is defined as the public suffix of the URL plus one level. This means that navigating from "www.example.com" to "sub.example.com" remains in the same process. There's plenty of room for optimization around this. For example, we can create a spare WebContent process ahead of time to hot-swap the target site. We can also create a policy to keep the navigated-from process around, in case the user quickly navigates back. 2025-03-09 11:40:34 -04:00			`// Allow navigating from about:blank to any site.`
			`if (Web::HTML::url_matches_about_blank(current_url))`
			`return true;`

			`// Allow cross-scheme non-HTTP(S) navigation. Disallow cross-scheme HTTP(s) navigation.`
			`auto current_url_is_http = Web::Fetch::Infrastructure::is_http_or_https_scheme(current_url.scheme());`
			`auto target_url_is_http = Web::Fetch::Infrastructure::is_http_or_https_scheme(target_url.scheme());`

			`if (!current_url_is_http \|\| !target_url_is_http)`
			`return !current_url_is_http && !target_url_is_http;`

			`// Disallow cross-site HTTP(S) navigation.`
			`return current_url.origin().is_same_site(target_url.origin());`
			`}`

			`}`