1 of 8

Frame Lifecycle

2 of 8

Today

  1. navigate: https://chromium.org/

LocalFrame [1]

LocalDOMWindow [1]

Document [1]

3 of 8

Today

  • navigate: https://chromium.org/
  • navigate: https://www.chromium.org/Home

LocalFrame [1]

LocalDOMWindow [2]

Document [2]

4 of 8

Today

  • navigate: https://chromium.org/
  • navigate: https://www.chromium.org/Home
  • add subframe:�<iframe src="https://chromium.org/Login">

LocalFrame [1]

LocalFrame [3]

LocalDOMWindow [2]

Document [2]

LocalDOMWindow [3]

Document [3]

5 of 8

Today

  • navigate: https://chromium.org/
  • navigate: https://www.chromium.org/Home
  • add subframe:�<iframe src="https://chromium.org/Login">
  • subframe load: https://chromium.org/Login

LocalFrame [1]

LocalFrame [3]

LocalDOMWindow [2]

Document [2]

LocalDOMWindow [3]

Document [4]

6 of 8

Today

  • navigate: https://chromium.org/
  • navigate: https://www.chromium.org/Home
  • add subframe:�<iframe src="https://chromium.org/Login">
  • subframe load: https://chromium.org/Login
  • subframe navigate:�https://accounts.google.com/

LocalFrame [1]

RemoteFrame [5]

LocalDOMWindow [2]

Document [2]

RemoteDOMWindow [5]

7 of 8

Why does this matter?

  • Using LocalFrame can lead to (security) bugs: https://crbug.com/693695
  • Having three closely related objects with subtly different lifetimes is complicated
  • Hard to track Document lifetime in browser process: https://crbug.com/729021

8 of 8

Plan

  • Fix about:blank origin inheritance bugs: https://crbug.com/778318
  • Refactor frame swapping so LocalFrame→LocalFrame swaps are possible
  • On commit, create a new LocalFrame and swap in the new frame.
    • Simplifies unload logic: only one teardown path for navigation
    • Reduces behavior delta between LocalFrame and RemoteFrame
  • RenderFrameHost will naturally become scoped to Document lifetime
    • javascript URLs
    • XSLT
    • document.open()