Creating iframes dynamically which run in their own processes

[octopus]

Hi,

Assume I want to create an application that enables editing and executing JavaScript code:

• The user starts the Chromium browser and browses a static web server running on localhost
• After browsing localhost, the static web server can (and may) be stopped
• The user can create several "tabs" inside this application with a text editor field, "tabs" are more or less just these text fields, so no actual browser tabs
• The user can execute the code in the "tabs", either all together, individual "tabs", any combination of these "tabs", periodically, you name it
• The JavaScript code in these "tabs" could be any kind of code and should be considered as untrusted
• Communicating between the "tabs" and the application using `postMessage` is absolutely desired. Sending the JavaScript code of these "tabs" to the actual iframes is pretty much the thing I have in mind.

Since I want to consider the codes in the "tabs" as untrusted, I want to encapsulate them in an iframe for each "tab". I also want these iframes to be executed in individual processes. This means when I open the Chromium Task Manager, I want to see a process for each tab. Since neither the number of open "tabs" nor the code in the "tabs" is a priori known, I need to create the iframes and their content (i.e. the code in the "tabs") during the runtime of the application. This is what I understand by "creating iframes dynamically". This means I cannot set the "src" attribute to an existing URL. I need to create the content of each iframe (i.e. each "tab") by manipulating strings etc..

Before you ask, the combination iframe (+sandbox) in their own process is done in order to defend in depth. This means this is one layer in order to protect the main application from the "tabs" and the "tabs" from each other (this is the reason I want to run every "tab" in its own process).

Please consider that I don't actually want to create the mentioned application, but it is IMO an easy to understand example what I actually want to achieve. There is also no option for me to use a different tool or write the application with electron, C++ etc.. It must run in the browser and it should only use specified ECMAScript, HTML etc. features.

Consider it as a thought experiment.

I performed some research and some experiments regarding creating iframes dynamically that run in their own processes. So far I was not successful.

Here are some links I did find regarding site-isolation etc. in Chromium:

• http://www.chromium.org/Home/chromium-security/site-isolation: Description of the feature, however not up-to-date anymore. The flag "enable-site-process" does not exist (anymore) in Version 74.0.3729.108
  
• https://www.chromium.org/developers/design-documents/oop-iframes: More in-depth description on out-of-process iframes
  
• https://support.google.com/chrome/a/answer/7581529: Description how to enable site-isolation in managed Chrome Browsers. Interesting but not necessarily my preferred solution. However  I would appreciate if someone can give me some hints how to do this. Currently I don't understand how to do this.

My understanding of the implementation of site-isolation and out-of-process iframes is:

If the iframe is from a different site, than it is run as another process. This is consistent with CORS behavior, AFAIK.

Here are some experiments I did:

• Creating iframes and setting their content via iframe.contentWindow.document.open()/write()/close() does not create a process. And I need to use the sandbox flags "allow-scripts" and "allow-same-origin" which is, according to https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#Attributes, removing the sandbox features from within iframes would usurp my intentions completely
• Using the "srcDoc" and "src" attribute with "data uri" does not create a process
• I can force a process, if I create an iframe on "src" 127.0.0.1 with the main page running on localhost (no joke ;) ). However this does not fit my definition of "dynamic". It would also mean that the server cannot be stopped. It would be possible to create iframes for each "tabs" in this way with a static html + JavaScript combination that actually can execute the scripts, BUT then all "tabs" would be executed in the same process and may potentially harm each other
• I can create iframes on bogus "src" IP addresses like 0.0.0.1 and 0.0.0.2 (and so on ...) but a) I get an obvious error that the target does not exist and b) I cannot actually execute anything then, since the target does not exist :) . Creates a process for each iframe though.
• I also tried to force one site per process with the flags `--site-per-process` (without success) or force site isolation on localhost (using `--isolate-orginis`) but with no success neither
  

Has anyone an idea how I can create an iframe dynamically that reliably runs in its own process?

Best regards,

octopus