Tauri Process Model
Tauri implements a multi-process architecture similar to Electron and modern web browsers. Understanding this model is essential for building secure, performant Tauri applications.
Architecture Overview
+------------------------------------------------------------------+ | TAURI APPLICATION | +------------------------------------------------------------------+ | | | +-----------------------------+ | | | CORE PROCESS | | | | (Rust) | | | | | | | | +----------------------+ | | | | | Window Manager | | | | | +----------------------+ | | | | | System Tray | | | | | +----------------------+ | | | | | Global State | | | | | +----------------------+ | | | | | IPC Router | | | | | +----------------------+ | | | | | OS Abstractions | | | | +-------------+---------------+ | | | | | | IPC (Inter-Process Communication) | | | | | +----------+----------+----------+ | | | | | | | | v v v v | | +------+ +------+ +------+ +------+ | | |WebView| |WebView| |WebView| |WebView| | | | #1 | | #2 | | #3 | | #N | | | +------+ +------+ +------+ +------+ | | | HTML | | HTML | | HTML | | HTML | | | | CSS | | CSS | | CSS | | CSS | | | | JS | | JS | | JS | | JS | | | +------+ +------+ +------+ +------+ | | | +------------------------------------------------------------------+
The Core Process
The Core process is the application's entry point and central hub. It runs Rust code and has exclusive access to operating system capabilities.
Responsibilities
Responsibility Description
Window Management Creates and orchestrates application windows
System Integration Manages system tray menus and notifications
IPC Routing Handles all inter-process communication
Global State Manages application-wide settings and database connections
OS Abstractions Provides cross-platform APIs
Why Rust for the Core Process
Rust powers the Core process for its memory-safety guarantees. The ownership system prevents:
-
Null pointer dereferences
-
Buffer overflows
-
Data races
-
Use-after-free bugs
This is critical because the Core process has full system access.
+------------------------------------------+ | CORE PROCESS | | | | Memory Safety via Rust Ownership: | | - No null pointers | | - No buffer overflows | | - No data races | | - No use-after-free | | | | Full OS Access: | | - File system | | - Network | | - System APIs | | - Hardware interfaces | +------------------------------------------+
The WebView Process
WebView processes render the user interface using the operating system's native WebView library.
Platform-Specific WebViews
+------------------+------------------+------------------+ | WINDOWS | MACOS | LINUX | +------------------+------------------+------------------+ | | | | | Microsoft Edge | WKWebView | webkitgtk | | WebView2 | | | | | | | | Chromium-based | Safari engine | WebKit engine | | | | | +------------------+------------------+------------------+ | | | +------------------+------------------+ | Dynamic Linking (Not bundled) | Smaller executables
Key Characteristics
-
Dynamic Linking: WebView libraries are linked at runtime, not bundled
-
Web Technologies: Execute HTML, CSS, and JavaScript
-
Framework Support: Works with React, Vue, Svelte, Solid, etc.
-
Isolation: Each WebView runs in its own process space
Process Communication (IPC)
All communication between processes flows through the Core process.
+----------------+ +----------------+ | WebView A | | WebView B | | | | | | invoke() ----+---->+----------------+<------+---- invoke() | | | | CORE PROCESS | | | | <---- listen |<----+ +------>| listen ----> | | | | - Validates | | | +----------------+ | - Routes | +----------------+ | - Filters | | - Transforms | +----------------+ | v +----------------+ | OS / System | | Resources | +----------------+
IPC Flow
-
WebView calls invoke() with a command name and payload
-
Core process receives the message
-
Core process validates and processes the request
-
Core process may interact with OS resources
-
Core process sends response back to WebView
Example: Basic IPC
Frontend (JavaScript)
import { invoke } from '@tauri-apps/api/core';
// Call a Rust command const result = await invoke('greet', { name: 'World' });
Backend (Rust)
#[tauri::command] fn greet(name: &str) -> String { format!("Hello, {}!", name) }
Multiwindow Handling
A single Core process manages multiple WebView processes.
+-------------------+
| CORE PROCESS |
| |
| Shared State: |
| - User session |
| - App config |
| - DB connection |
+-------------------+
/|\
/ | \
/ | \
/ | \
/ | \
v v v
+------+ +------+ +------+
|Main | |Settings| |About|
|Window| |Window | |Window|
+------+ +------+ +------+
Window Management Patterns
Creating Windows
use tauri::Manager;
#[tauri::command] fn open_settings(app: tauri::AppHandle) { tauri::WebviewWindowBuilder::new( &app, "settings", tauri::WebviewUrl::App("settings.html".into()) ) .title("Settings") .build() .unwrap(); }
Cross-Window Communication
use tauri::Manager;
#[tauri::command] fn broadcast_update(app: tauri::AppHandle, data: String) { // Emit to all windows app.emit("data-updated", data).unwrap(); }
Window-Specific Events
use tauri::Manager;
#[tauri::command] fn notify_window(app: tauri::AppHandle, window_label: String, data: String) { if let Some(window) = app.get_webview_window(&window_label) { window.emit("notification", data).unwrap(); } }
Process Isolation and Security
The Principle of Least Privilege
"If you have a gardener coming over to trim your hedge, you give them the key to your garden. You would not give them the keys to your house."
+------------------------------------------------------------------+ | SECURITY BOUNDARIES | +------------------------------------------------------------------+ | | | +---------------------------+ +---------------------------+ | | | CORE PROCESS | | WEBVIEW PROCESS | | | | (Trusted Zone) | | (Untrusted Zone) | | | +---------------------------+ +---------------------------+ | | | | | | | | | - File system access | | - Render UI only | | | | - Database connections | | - User input handling | | | | - Network requests | | - Display data | | | | - Crypto operations | | - Call allowed commands | | | | - Secrets management | | | | | | - Business logic | | NO DIRECT ACCESS TO: | | | | | | - File system | | | | | | - Network (direct) | | | | | | - System APIs | | | +---------------------------+ +---------------------------+ | | | +------------------------------------------------------------------+
Security Benefits of Process Isolation
Benefit Description
Crash Containment Failures in one process don't crash the entire app
State Recovery Invalid processes can be restarted independently
Attack Surface Reduction Compromised WebView has limited capabilities
Resource Protection Sensitive data stays in Core process
Security Best Practices
In the Frontend (WebView)
-
Sanitize all user input
-
Never handle secrets
-
Defer business logic to Core process
-
Implement Content Security Policy (CSP)
In the Backend (Core Process)
-
Validate all IPC inputs
-
Use the capability system to restrict commands
-
Apply principle of least privilege to each window
Capability-Based Security
Tauri uses a capability system to control what each window can access.
+------------------+ +------------------+ +------------------+ | Main Window | | Settings Window | | Viewer Window | +------------------+ +------------------+ +------------------+ | Capabilities: | | Capabilities: | | Capabilities: | | - read_file | | - read_config | | - read_file | | - write_file | | - write_config | | (read only) | | - network | | | | | | - notifications | | | | | +------------------+ +------------------+ +------------------+
Example: Capability Configuration
{ "identifier": "main-capability", "description": "Capability for the main window", "windows": ["main"], "permissions": [ "core:default", "fs:read-files", "fs:write-files", "http:default" ] }
Process Lifecycle
+------------------------------------------------------------------+ | APPLICATION LIFECYCLE | +------------------------------------------------------------------+ | | | 1. App Launch | | +------------------+ | | | Core Process | <-- Starts first | | | Initializes | | | +------------------+ | | | | | v | | 2. Window Creation | | +------------------+ | | | WebView Process | <-- Core creates WebViews | | | Spawned | | | +------------------+ | | | | | v | | 3. Running | | +--------+ IPC +----------+ | | | Core |<--------->| WebViews | | | +--------+ +----------+ | | | | | v | | 4. Shutdown | | +------------------+ | | | WebViews close | <-- WebViews terminate first | | | Core cleans up | <-- Core process exits last | | +------------------+ | | | +------------------------------------------------------------------+
Summary
Aspect Core Process WebView Process
Language Rust JavaScript/TypeScript
Quantity One per app One or more per app
OS Access Full None (via IPC only)
Role Backend, orchestration UI rendering
Security Trusted Untrusted
Crash Impact App terminates Window closes
The Tauri process model provides a secure foundation for building desktop applications by maintaining strict separation between the trusted Core process and the potentially vulnerable WebView processes. All sensitive operations should be implemented in the Core process, with the WebView serving only as a presentation layer.