过程模型

Tauri 采用与 Electron 或许多现代 Web 浏览器类似的多进程架构。本指南探讨了设计选择背后的原因以及它为何是编写安全应用的关键。

¥Tauri employs a multi-process architecture similar to Electron or many modern web browsers. This guide explores the reasons behind the design choice and why it is key to writing secure applications.

为什么要使用多个进程？

¥Why Multiple Processes?

在 GUI 应用的早期，通常使用单个进程来执行计算、绘制界面并对用户输入做出反应。你可能已经猜到了，这意味着长时间运行的昂贵计算会导致用户界面无响应，或者更糟的是，一个应用组件的故障会导致整个应用崩溃。

¥In the early days of GUI applications, it was common to use a single process to perform computation, draw the interface and react to user input. As you can probably guess, this meant that a long-running, expensive computation would leave the user interface unresponsive, or worse, a failure in one app component would bring the whole app crashing down.

很明显，需要一种更具弹性的架构，应用开始在不同的进程中运行不同的组件。这可以更好地利用现代多核 CPU 并创建更安全的应用。一个组件中的崩溃不再影响整个系统，因为组件被隔离在不同的进程中。如果进程进入无效状态，我们可以轻松重新启动它。

¥It became clear that a more resilient architecture was needed, and applications began running different components in different processes. This makes much better use of modern multi-core CPUs and creates far safer applications. A crash in one component doesn’t affect the whole system anymore, as components are isolated on different processes. If a process gets into an invalid state, we can easily restart it.

我们还可以通过为每个进程分配最少的权限来限制潜在漏洞的爆炸半径，这些权限刚好足以让它们完成工作。这种模式称为 最小原则权限，你会在现实世界中一直看到它。如果有园丁来修剪你的树篱，你可以把花园的密钥交给他们。你不会把你家的密钥交给他们；他们为什么需要访问它？同样的概念也适用于计算机程序。我们给予他们的访问权限越少，他们受到攻击时造成的危害就越小。

¥We can also limit the blast radius of potential exploits by handing out only the minimum amount of permissions to each process, just enough so they can get their job done. This pattern is known as the Principle of Least Privilege, and you see it in the real world all the time. If you have a gardener coming over to trim your hedge, you give them the key to your garden. You would not give them the keys to your house; why would they need access to that? The same concept applies to computer programs. The less access we give them, the less harm they can do if they get compromised.

核心流程

¥The Core Process

每个 Tauri 应用都有一个核心进程，它充当应用的入口点，并且是唯一具有对操作系统的完全访问权限的组件。

¥Each Tauri application has a core process, which acts as the application’s entry point and which is the only component with full access to the operating system.

核心的主要职责是使用该访问权限来创建和协调应用窗口、系统托盘菜单或通知。Tauri 实现了必要的跨平台抽象以使这变得容易。它还通过核心进程路由所有 进程间通信，允许你在一个中心位置拦截、过滤和操作 IPC 消息。

¥The Core’s primary responsibility is to use that access to create and orchestrate application windows, system-tray menus, or notifications. Tauri implements the necessary cross-platform abstractions to make this easy. It also routes all Inter-Process Communication through the Core process, allowing you to intercept, filter, and manipulate IPC messages in one central place.

核心进程还应负责管理全局状态，例如设置或数据库连接。这使你可以轻松地在窗口之间同步状态，并保护你的业务敏感数据免受前端窥探。

¥The Core process should also be responsible for managing global state, such as settings or database connections. This allows you to easily synchronize state between windows and protect your business-sensitive data from prying eyes in the Frontend.

我们选择 Rust 来实现 Tauri，因为它的 所有权 概念保证了内存安全，同时保持了出色的性能。

¥We chose Rust to implement Tauri because of its concept of Ownership guarantees memory safety while retaining excellent performance.

Simplified representation of the Tauri process model. A single Core process manages one or more WebView processes.

WebView 流程

¥The WebView Process

核心进程本身不渲染实际用户界面 (UI)；它启动利用操作系统提供的 WebView 库的 WebView 进程。WebView 是一个类似浏览器的环境，可执行 HTML、CSS 和 JavaScript。

¥The Core process doesn’t render the actual user interface (UI) itself; it spins up WebView processes that leverage WebView libraries provided by the operating system. A WebView is a browser-like environment that executes your HTML, CSS, and JavaScript.

这意味着你在传统 Web 开发中使用的大多数技术和工具都可用于创建 Tauri 应用。例如，许多 Tauri 示例都是使用 Svelte 前端框架和 Vite 打包器编写的。

¥This means that most of your techniques and tools used in traditional web development can be used to create Tauri applications. For example, many Tauri examples are written using the Svelte frontend framework and the Vite bundler.

安全最佳实践也适用；例如，你必须始终清理用户输入，切勿在前端处理密钥，并且最好将尽可能多的业务逻辑推迟到核心进程以保持攻击面较小。

¥Security best practices apply as well; for example, you must always sanitize user input, never handle secrets in the Frontend, and ideally defer as much business logic as possible to the Core process to keep your attack surface small.

与其他类似解决方案不同，WebView 库不包含在最终可执行文件中，而是在运行时动态链接 ¹。这使你的应用显著变小，但这也意味着你需要记住平台差异，就像传统的 Web 开发一样。

¥Unlike other similar solutions, the WebView libraries are not included in your final executable but dynamically linked at runtime¹. This makes your application significantly smaller, but it also means that you need to keep platform differences in mind, just like traditional web development.

Footnotes

1. 目前，Tauri 在 Windows 上使用 Microsoft Edge WebView2，在 macOS 上使用 WKWebView，在 Linux 上使用 webkitgtk。

   ¥Currently, Tauri uses Microsoft Edge WebView2 on Windows, WKWebView on macOS and webkitgtk on Linux. ↩ ↩²