[go: nahoru, domu]
Google Git
Sign in
chromium / chromium / src / 85285b04a02b765d7e4741f1e1588ae520c226d6 / . / android_webview / renderer
tree: dd53543d29e62821498ea74b0dbbdcfec7b1ad55 [path history] [tgz]
  1. aw_content_renderer_client.cc
  2. aw_content_renderer_client.h
  3. aw_content_settings_client.cc
  4. aw_content_settings_client.h
  5. aw_key_systems.cc
  6. aw_key_systems.h
  7. aw_print_render_frame_helper_delegate.cc
  8. aw_print_render_frame_helper_delegate.h
  9. aw_render_frame_ext.cc
  10. aw_render_frame_ext.h
  11. aw_render_thread_observer.cc
  12. aw_render_thread_observer.h
  13. aw_render_view_ext.cc
  14. aw_render_view_ext.h
  15. aw_safe_browsing_error_page_controller_delegate_impl.cc
  16. aw_safe_browsing_error_page_controller_delegate_impl.h
  17. aw_url_loader_throttle_provider.cc
  18. aw_url_loader_throttle_provider.h
  19. aw_websocket_handshake_throttle_provider.cc
  20. aw_websocket_handshake_throttle_provider.h
  21. browser_exposed_renderer_interfaces.cc
  22. browser_exposed_renderer_interfaces.h
  23. BUILD.gn
  24. DEPS
  25. OWNERS
  26. README.md
android_webview/renderer/README.md

//android_webview/renderer/

This folder holds WebView's renderer-specific code.

Folder dependencies

Like with other content embedders, //android_webview/renderer/ can depend on //android_webview/common/ but not //android_webview/browser/. It can also depend on content layer (and lower layers) as other embedders would (ex. can depend on //content/public/renderer/, //content/public/common/).

In-process renderer

On Lollipop (API 21) through Nougat MR1 (API 25) WebView has only a single renderer, which runs in the browser process (so there's no sandboxing). The renderer runs on a separate thread, which we would call the “renderer thread.”

Android Nougat has a developer option to enable an out-of-process renderer, but the renderer is in-process by default.

Out-of-process renderer

Starting in Oreo (API 26) WebView has a single out-of-process renderer (we sometimes refer to this as “multiprocess mode”). This is enabled for high-memory devices (low-memory devices still use an in-process renderer as before).

The out-of-process renderer is enabled by a new Android API (android:externalService), to create sandboxed processes which run in the embedding app's context rather than the WebView provider's context.

Without this API, we could only declare a fixed number of renderer processes to run in the WebView provider‘s context, and WebView (running in the app’s process) would have to pick one of these declared services to use as the renderer process. This would be a security problem because:

  • There‘s no trivial way for WebView (running in the app) to figure out which services are in-use, and reusing a service which is already in-use would mix content from two different apps in the same process (which violates Android’s trust model).
  • Even if we had a way to pick a not-in-use service, because WebView runs in the app's process, a malicious app could override this logic to intentionally pick an in-use service, with the goal of compromising another app on the system.
  • We have to declare a fixed number of services in the manifest. Even if we could securely put each app‘s content in a separate renderer process, supposing we’ve declared N services, the N+1th app will not have an empty service available and will have to share.

Running renderers in the app's context ensures content from two apps are always isolated, aligning with the Android security model.

Recovering from renderer crashes

Starting with Oreo, Android apps have the opportunity to recover from renderer crashes by overriding WebViewClient#onRenderProcessGone(). However, for backwards compatibility, WebView crashes the browser process if the app has not overridden this callback. Therefore, unlike in Chrome, renderer crashes are often non-recoverable.

Multiple renderers

WebView does not support multiple renderer processes, but this may be supported in the future.