Sandboxing and performance refactors: Process-level Sandbox, Webview Management, and Dat Process

[pfrazee]

Related to #19

These are some inter-related changes that we should have on the roadmap, but which can't happen until electron lands the changes discussed in electron/electron#6712 (comment). (Thanks, Tarruda!)

1. Sandbox the BrowserWindow and webview processes

This is the process-level sandbox, that works in addition to the Javascript sandbox. It won't be feasible or provide any benefit until Tarruda lands the needed changes: IPC message filtering, and the ability to instantiate webviews from a sandboxed renderer.

2. Investigate moving all webview management into the main (browser) process

It turns out that all webContents objects are instantiated in the main process, so any time that the shell-window interacts with a webview, it has to do an IPC call to main. That's a performance drag, and it also will increase the IPC surface area after the sandboxing is enabled.

We should investigate what it would take to move all webview management into the main process, and then reducing the shell-window to UI tasks.

3. Investigate moving all Dat behaviors into a separate process

Dat's network handling involves crypto operations that can slow down the thread. If that processing occurs in the main thread, there's a chance that the UI will start to stutter. To avoid that, we should investigate moving the Dat processing into a separate process. The downside of this approach is that it would incur additional messaging latency, so we'll have to bench the difference.

[kewde]

I've been investigating the electron sandbox, seeing who is doing what in the landscape.
I've looked through Brave (and their Muon electron fork) and I thought I'd take a look at what Beaker is doing.

I've accumulated quite a bit of knowledge in the following repo surrounding the basic electron usage, I will be working on examples and docs for Muon soonish.
https://github.com/kewde/electron-sandbox-boilerplate

In case you see something interesting on the topic of 'sandbox' & electron/chromium, then feel free to tag me.

[pfrazee]

@kewde We've actually decided to migrate to Muon sometime this year. I discussed the issue with some Electron members and they told me they just don't have the means to make Electron safe for untrusted code. Muon is designed for that, so we're making the move.

I'll be interested to see your muon examples!

[webdesserts]

We should investigate what it would take to move all webview management into the main process, and then reducing the shell-window to UI tasks.

@pfrazee is this something that you're still interested in now that you're planning on moving to Muon? Does Muon even have the same background-process/shell-window split?

[pfrazee]

@webdesserts I think it might even be mandatory for Muon. So yeah, all 3 of these tasks are still on the todo list. I think the Muon re-architecting might exclude item 3 though, because moving Dat to another process can be done separately.