understanding-tauri-process-model
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseTauri Process Model
Tauri 进程模型
Tauri implements a multi-process architecture similar to Electron and modern web browsers. Understanding this model is essential for building secure, performant Tauri applications.
Tauri 采用了与 Electron 和现代浏览器类似的多进程架构。理解该模型是构建安全、高性能 Tauri 应用的关键。
Architecture Overview
架构概述
+------------------------------------------------------------------+
| TAURI APPLICATION |
+------------------------------------------------------------------+
| |
| +-----------------------------+ |
| | CORE PROCESS | |
| | (Rust) | |
| | | |
| | +----------------------+ | |
| | | Window Manager | | |
| | +----------------------+ | |
| | | System Tray | | |
| | +----------------------+ | |
| | | Global State | | |
| | +----------------------+ | |
| | | IPC Router | | |
| | +----------------------+ | |
| | | OS Abstractions | | |
| +-------------+---------------+ |
| | |
| | IPC (Inter-Process Communication) |
| | |
| +----------+----------+----------+ |
| | | | | |
| v v v v |
| +------+ +------+ +------+ +------+ |
| |WebView| |WebView| |WebView| |WebView| |
| | #1 | | #2 | | #3 | | #N | |
| +------+ +------+ +------+ +------+ |
| | HTML | | HTML | | HTML | | HTML | |
| | CSS | | CSS | | CSS | | CSS | |
| | JS | | JS | | JS | | JS | |
| +------+ +------+ +------+ +------+ |
| |
+------------------------------------------------------------------++------------------------------------------------------------------+
| TAURI APPLICATION |
+------------------------------------------------------------------+
| |
| +-----------------------------+ |
| | CORE PROCESS | |
| | (Rust) | |
| | | |
| | +----------------------+ | |
| | | Window Manager | | |
| | +----------------------+ | |
| | | System Tray | | |
| | +----------------------+ | |
| | | Global State | | |
| | +----------------------+ | |
| | | IPC Router | | |
| | +----------------------+ | |
| | | OS Abstractions | | |
| +-------------+---------------+ |
| | |
| | IPC (Inter-Process Communication) |
| | |
| +----------+----------+----------+ |
| | | | | |
| v v v v |
| +------+ +------+ +------+ +------+ |
| |WebView| |WebView| |WebView| |WebView| |
| | #1 | | #2 | | #3 | | #N | |
| +------+ +------+ +------+ +------+ |
| | HTML | | HTML | | HTML | | HTML | |
| | CSS | | CSS | | CSS | | CSS | |
| | JS | | JS | | JS | | JS | |
| +------+ +------+ +------+ +------+ |
| |
+------------------------------------------------------------------+The Core Process
Core 进程
The Core process is the application's entry point and central hub. It runs Rust code and has exclusive access to operating system capabilities.
Core 进程是应用的入口点和中心枢纽,运行 Rust 代码并拥有操作系统功能的独家访问权限。
Responsibilities
职责
| Responsibility | Description |
|---|---|
| Window Management | Creates and orchestrates application windows |
| System Integration | Manages system tray menus and notifications |
| IPC Routing | Handles all inter-process communication |
| Global State | Manages application-wide settings and database connections |
| OS Abstractions | Provides cross-platform APIs |
| 职责 | 描述 |
|---|---|
| 窗口管理 | 创建并协调应用窗口 |
| 系统集成 | 管理系统托盘菜单和通知 |
| IPC 路由 | 处理所有进程间通信 |
| 全局状态 | 管理应用级设置和数据库连接 |
| 操作系统抽象 | 提供跨平台 API |
Why Rust for the Core Process
为何选择 Rust 作为 Core 进程开发语言
Rust powers the Core process for its memory-safety guarantees. The ownership system prevents:
- Null pointer dereferences
- Buffer overflows
- Data races
- Use-after-free bugs
This is critical because the Core process has full system access.
+------------------------------------------+
| CORE PROCESS |
| |
| Memory Safety via Rust Ownership: |
| - No null pointers |
| - No buffer overflows |
| - No data races |
| - No use-after-free |
| |
| Full OS Access: |
| - File system |
| - Network |
| - System APIs |
| - Hardware interfaces |
+------------------------------------------+Rust 为 Core 进程提供了内存安全保障,其所有权系统可防止:
- 空指针解引用
- 缓冲区溢出
- 数据竞争
- 悬垂引用
这一点至关重要,因为 Core 进程拥有完整的系统访问权限。
+------------------------------------------+
| CORE PROCESS |
| |
| Memory Safety via Rust Ownership: |
| - No null pointers |
| - No buffer overflows |
| - No data races |
| - No use-after-free |
| |
| Full OS Access: |
| - File system |
| - Network |
| - System APIs |
| - Hardware interfaces |
+------------------------------------------+The WebView Process
WebView 进程
WebView processes render the user interface using the operating system's native WebView library.
WebView 进程使用操作系统的原生 WebView 库渲染用户界面。
Platform-Specific WebViews
平台专属 WebView
+------------------+------------------+------------------+
| WINDOWS | MACOS | LINUX |
+------------------+------------------+------------------+
| | | |
| Microsoft Edge | WKWebView | webkitgtk |
| WebView2 | | |
| | | |
| Chromium-based | Safari engine | WebKit engine |
| | | |
+------------------+------------------+------------------+
| | |
+------------------+------------------+
|
Dynamic Linking
(Not bundled)
|
Smaller executables+------------------+------------------+------------------+
| WINDOWS | MACOS | LINUX |
+------------------+------------------+------------------+
| | | |
| Microsoft Edge | WKWebView | webkitgtk |
| WebView2 | | |
| | | |
| Chromium-based | Safari engine | WebKit engine |
| | | |
+------------------+------------------+------------------+
| | |
+------------------+------------------+
|
Dynamic Linking
(Not bundled)
|
Smaller executablesKey Characteristics
核心特性
- Dynamic Linking: WebView libraries are linked at runtime, not bundled
- Web Technologies: Execute HTML, CSS, and JavaScript
- Framework Support: Works with React, Vue, Svelte, Solid, etc.
- Isolation: Each WebView runs in its own process space
- 动态链接:WebView 库在运行时链接,而非打包进应用
- Web 技术栈:执行 HTML、CSS 和 JavaScript
- 框架支持:兼容 React、Vue、Svelte、Solid 等框架
- 隔离性:每个 WebView 运行在独立的进程空间中
Process Communication (IPC)
进程间通信(IPC)
All communication between processes flows through the Core process.
+----------------+ +----------------+
| WebView A | | WebView B |
| | | |
| invoke() ----+---->+----------------+<------+---- invoke() |
| | | CORE PROCESS | | |
| <---- listen |<----+ +------>| listen ----> |
| | | - Validates | | |
+----------------+ | - Routes | +----------------+
| - Filters |
| - Transforms |
+----------------+
|
v
+----------------+
| OS / System |
| Resources |
+----------------+进程间的所有通信均通过 Core 进程中转。
+----------------+ +----------------+
| WebView A | | WebView B |
| | | |
| invoke() ----+---->+----------------+<------+---- invoke() |
| | | CORE PROCESS | | |
| <---- listen |<----+ +------>| listen ----> |
| | | - Validates | | |
+----------------+ | - Routes | +----------------+
| - Filters |
| - Transforms |
+----------------+
|
v
+----------------+
| OS / System |
| Resources |
+----------------+IPC Flow
IPC 流程
- WebView calls with a command name and payload
invoke() - Core process receives the message
- Core process validates and processes the request
- Core process may interact with OS resources
- Core process sends response back to WebView
- WebView 调用 并传入命令名称和负载
invoke() - Core 进程接收消息
- Core 进程验证并处理请求
- Core 进程可能与操作系统资源交互
- Core 进程将响应返回给 WebView
Example: Basic IPC
示例:基础 IPC
Frontend (JavaScript)
javascript
import { invoke } from '@tauri-apps/api/core';
// Call a Rust command
const result = await invoke('greet', { name: 'World' });Backend (Rust)
rust
#[tauri::command]
fn greet(name: &str) -> String {
format!("Hello, {}!", name)
}前端(JavaScript)
javascript
import { invoke } from '@tauri-apps/api/core';
// Call a Rust command
const result = await invoke('greet', { name: 'World' });后端(Rust)
rust
#[tauri::command]
fn greet(name: &str) -> String {
format!("Hello, {}!", name)
}Multiwindow Handling
多窗口处理
A single Core process manages multiple WebView processes.
+-------------------+
| CORE PROCESS |
| |
| Shared State: |
| - User session |
| - App config |
| - DB connection |
+-------------------+
/|\
/ | \
/ | \
/ | \
/ | \
v v v
+------+ +------+ +------+
|Main | |Settings| |About|
|Window| |Window | |Window|
+------+ +------+ +------+单个 Core 进程可管理多个 WebView 进程。
+-------------------+
| CORE PROCESS |
| |
| Shared State: |
| - User session |
| - App config |
| - DB connection |
+-------------------+
/|\
/ | \
/ | \
/ | \
/ | \
v v v
+------+ +------+ +------+
|Main | |Settings| |About|
|Window| |Window | |Window|
+------+ +------+ +------+Window Management Patterns
窗口管理模式
Creating Windows
rust
use tauri::Manager;
#[tauri::command]
fn open_settings(app: tauri::AppHandle) {
tauri::WebviewWindowBuilder::new(
&app,
"settings",
tauri::WebviewUrl::App("settings.html".into())
)
.title("Settings")
.build()
.unwrap();
}Cross-Window Communication
rust
use tauri::Manager;
#[tauri::command]
fn broadcast_update(app: tauri::AppHandle, data: String) {
// Emit to all windows
app.emit("data-updated", data).unwrap();
}Window-Specific Events
rust
use tauri::Manager;
#[tauri::command]
fn notify_window(app: tauri::AppHandle, window_label: String, data: String) {
if let Some(window) = app.get_webview_window(&window_label) {
window.emit("notification", data).unwrap();
}
}创建窗口
rust
use tauri::Manager;
#[tauri::command]
fn open_settings(app: tauri::AppHandle) {
tauri::WebviewWindowBuilder::new(
&app,
"settings",
tauri::WebviewUrl::App("settings.html".into())
)
.title("Settings")
.build()
.unwrap();
}跨窗口通信
rust
use tauri::Manager;
#[tauri::command]
fn broadcast_update(app: tauri::AppHandle, data: String) {
// Emit to all windows
app.emit("data-updated", data).unwrap();
}窗口专属事件
rust
use tauri::Manager;
#[tauri::command]
fn notify_window(app: tauri::AppHandle, window_label: String, data: String) {
if let Some(window) = app.get_webview_window(&window_label) {
window.emit("notification", data).unwrap();
}
}Process Isolation and Security
进程隔离与安全
The Principle of Least Privilege
最小权限原则
"If you have a gardener coming over to trim your hedge, you give them the key to your garden. You would not give them the keys to your house."
+------------------------------------------------------------------+
| SECURITY BOUNDARIES |
+------------------------------------------------------------------+
| |
| +---------------------------+ +---------------------------+ |
| | CORE PROCESS | | WEBVIEW PROCESS | |
| | (Trusted Zone) | | (Untrusted Zone) | |
| +---------------------------+ +---------------------------+ |
| | | | | |
| | - File system access | | - Render UI only | |
| | - Database connections | | - User input handling | |
| | - Network requests | | - Display data | |
| | - Crypto operations | | - Call allowed commands | |
| | - Secrets management | | | |
| | - Business logic | | NO DIRECT ACCESS TO: | |
| | | | - File system | |
| | | | - Network (direct) | |
| | | | - System APIs | |
| +---------------------------+ +---------------------------+ |
| |
+------------------------------------------------------------------+"如果请园丁来修剪篱笆,你只会给他们花园的钥匙,而不会把家里的钥匙也交给他们。"
+------------------------------------------------------------------+
| SECURITY BOUNDARIES |
+------------------------------------------------------------------+
| |
| +---------------------------+ +---------------------------+ |
| | CORE PROCESS | | WEBVIEW PROCESS | |
| | (Trusted Zone) | | (Untrusted Zone) | |
| +---------------------------+ +---------------------------+ |
| | | | | |
| | - File system access | | - Render UI only | |
| | - Database connections | | - User input handling | |
| | - Network requests | | - Display data | |
| | - Crypto operations | | - Call allowed commands | |
| | - Secrets management | | | |
| | - Business logic | | NO DIRECT ACCESS TO: | |
| | | | - File system | |
| | | | - Network (direct) | |
| | | | - System APIs | |
| +---------------------------+ +---------------------------+ |
| |
+------------------------------------------------------------------+Security Benefits of Process Isolation
进程隔离的安全优势
| Benefit | Description |
|---|---|
| Crash Containment | Failures in one process don't crash the entire app |
| State Recovery | Invalid processes can be restarted independently |
| Attack Surface Reduction | Compromised WebView has limited capabilities |
| Resource Protection | Sensitive data stays in Core process |
| 优势 | 描述 |
|---|---|
| 崩溃隔离 | 单个进程故障不会导致整个应用崩溃 |
| 状态恢复 | 异常进程可独立重启 |
| 攻击面缩减 | 被攻陷的 WebView 能力受限 |
| 资源保护 | 敏感数据仅存于 Core 进程 |
Security Best Practices
安全最佳实践
In the Frontend (WebView)
- Sanitize all user input
- Never handle secrets
- Defer business logic to Core process
- Implement Content Security Policy (CSP)
In the Backend (Core Process)
- Validate all IPC inputs
- Use the capability system to restrict commands
- Apply principle of least privilege to each window
前端(WebView)
- 对所有用户输入进行 sanitize 处理
- 绝不处理敏感信息
- 将业务逻辑委托给 Core 进程
- 实现内容安全策略(CSP)
后端(Core 进程)
- 验证所有 IPC 输入
- 使用能力系统限制命令访问
- 为每个窗口应用最小权限原则
Capability-Based Security
基于能力的安全机制
Tauri uses a capability system to control what each window can access.
+------------------+ +------------------+ +------------------+
| Main Window | | Settings Window | | Viewer Window |
+------------------+ +------------------+ +------------------+
| Capabilities: | | Capabilities: | | Capabilities: |
| - read_file | | - read_config | | - read_file |
| - write_file | | - write_config | | (read only) |
| - network | | | | |
| - notifications | | | | |
+------------------+ +------------------+ +------------------+Example: Capability Configuration
json
{
"identifier": "main-capability",
"description": "Capability for the main window",
"windows": ["main"],
"permissions": [
"core:default",
"fs:read-files",
"fs:write-files",
"http:default"
]
}Tauri 使用能力系统控制每个窗口的访问权限。
+------------------+ +------------------+ +------------------+
| Main Window | | Settings Window | | Viewer Window |
+------------------+ +------------------+ +------------------+
| Capabilities: | | Capabilities: | | Capabilities: |
| - read_file | | - read_config | | - read_file |
| - write_file | | - write_config | | (read only) |
| - network | | | | |
| - notifications | | | | |
+------------------+ +------------------+ +------------------+示例:能力配置
json
{
"identifier": "main-capability",
"description": "Capability for the main window",
"windows": ["main"],
"permissions": [
"core:default",
"fs:read-files",
"fs:write-files",
"http:default"
]
}Process Lifecycle
进程生命周期
+------------------------------------------------------------------+
| APPLICATION LIFECYCLE |
+------------------------------------------------------------------+
| |
| 1. App Launch |
| +------------------+ |
| | Core Process | <-- Starts first |
| | Initializes | |
| +------------------+ |
| | |
| v |
| 2. Window Creation |
| +------------------+ |
| | WebView Process | <-- Core creates WebViews |
| | Spawned | |
| +------------------+ |
| | |
| v |
| 3. Running |
| +--------+ IPC +----------+ |
| | Core |<--------->| WebViews | |
| +--------+ +----------+ |
| | |
| v |
| 4. Shutdown |
| +------------------+ |
| | WebViews close | <-- WebViews terminate first |
| | Core cleans up | <-- Core process exits last |
| +------------------+ |
| |
+------------------------------------------------------------------++------------------------------------------------------------------+
| APPLICATION LIFECYCLE |
+------------------------------------------------------------------+
| |
| 1. App Launch |
| +------------------+ |
| | Core Process | <-- Starts first |
| | Initializes | |
| +------------------+ |
| | |
| v |
| 2. Window Creation |
| +------------------+ |
| | WebView Process | <-- Core creates WebViews |
| | Spawned | |
| +------------------+ |
| | |
| v |
| 3. Running |
| +--------+ IPC +----------+ |
| | Core |<--------->| WebViews | |
| +--------+ +----------+ |
| | |
| v |
| 4. Shutdown |
| +------------------+ |
| | WebViews close | <-- WebViews terminate first |
| | Core cleans up | <-- Core process exits last |
| +------------------+ |
| |
+------------------------------------------------------------------+Summary
总结
| Aspect | Core Process | WebView Process |
|---|---|---|
| Language | Rust | JavaScript/TypeScript |
| Quantity | One per app | One or more per app |
| OS Access | Full | None (via IPC only) |
| Role | Backend, orchestration | UI rendering |
| Security | Trusted | Untrusted |
| Crash Impact | App terminates | Window closes |
The Tauri process model provides a secure foundation for building desktop applications by maintaining strict separation between the trusted Core process and the potentially vulnerable WebView processes. All sensitive operations should be implemented in the Core process, with the WebView serving only as a presentation layer.
| 维度 | Core 进程 | WebView 进程 |
|---|---|---|
| 开发语言 | Rust | JavaScript/TypeScript |
| 进程数量 | 每个应用一个 | 每个应用一个或多个 |
| 系统访问权限 | 完整权限 | 无直接权限(仅通过 IPC) |
| 角色 | 后端、协调管控 | UI 渲染 |
| 安全级别 | 可信 | 不可信 |
| 崩溃影响 | 整个应用终止 | 仅对应窗口关闭 |
Tauri 进程模型通过严格区分可信的 Core 进程和潜在易受攻击的 WebView 进程,为桌面应用提供了安全基础。所有敏感操作都应在 Core 进程中实现,WebView 仅作为展示层。