An attempt to answer the age old interview question "What happens when you type google.com into your browser and press enter?"
This repository is an attempt to answer the age-old interview question "What happens when you type google.com into your browser's address box and press enter?"
Except instead of the usual story, we're going to try to answer this question in as much detail as possible. No skipping out on anything.
This is a collaborative process, so dig in and try to help out! There are tons of details missing, just waiting for you to add them! So send us a pull request, please!
This is all licensed under the terms of the
Creative Commons Zero_ license.
Read this in
简体中文_ (simplified Chinese),
日本語_ (Japanese) and
한국어_ (Korean). NOTE: these have not been reviewed by the alex/what-happens-when maintainers.
.. contents:: :backlinks: none :local:
The following sections explain the physical keyboard actions and the OS interrupts. When you press the key "g" the browser receives the event and the auto-complete functions kick in. Depending on your browser's algorithm and if you are in private/incognito mode or not various suggestions will be presented to you in the dropdown below the URL bar. Most of these algorithms sort and prioritize results based on search history, bookmarks, cookies, and popular searches from the internet as a whole. As you are typing "google.com" many blocks of code run and the suggestions will be refined with each keypress. It may even suggest "google.com" before you finish typing it.
To pick a zero point, let's choose the Enter key on the keyboard hitting the bottom of its range. At this point, an electrical circuit specific to the enter key is closed (either directly or capacitively). This allows a small amount of current to flow into the logic circuitry of the keyboard, which scans the state of each key switch, debounces the electrical noise of the rapid intermittent closure of the switch, and converts it to a keycode integer, in this case 13. The keyboard controller then encodes the keycode for transport to the computer. This is now almost universally over a Universal Serial Bus (USB) or Bluetooth connection, but historically has been over PS/2 or ADB connections.
In the case of the USB keyboard:
The USB circuitry of the keyboard is powered by the 5V supply provided over pin 1 from the computer's USB host controller.
The keycode generated is stored by internal keyboard circuitry memory in a register called "endpoint".
The host USB controller polls that "endpoint" every ~10ms (minimum value declared by the keyboard), so it gets the keycode value stored on it.
This value goes to the USB SIE (Serial Interface Engine) to be converted in one or more USB packets that follow the low-level USB protocol.
Those packets are sent by a differential electrical signal over D+ and D- pins (the middle 2) at a maximum speed of 1.5 Mb/s, as an HID (Human Interface Device) device is always declared to be a "low-speed device" (USB 2.0 compliance).
This serial signal is then decoded at the computer's host USB controller, and interpreted by the computer's Human Interface Device (HID) universal keyboard device driver. The value of the key is then passed into the operating system's hardware abstraction layer.
In the case of Virtual Keyboard (as in touch screen devices):
When the user puts their finger on a modern capacitive touch screen, a tiny amount of current gets transferred to the finger. This completes the circuit through the electrostatic field of the conductive layer and creates a voltage drop at that point on the screen. The
screen controllerthen raises an interrupt reporting the coordinate of the keypress.
Then the mobile OS notifies the currently focused application of a press event in one of its GUI elements (which now is the virtual keyboard application buttons).
The virtual keyboard can now raise a software interrupt for sending a 'key pressed' message back to the OS.
This interrupt notifies the currently focused application of a 'key pressed' event.
The keyboard sends signals on its interrupt request line (IRQ), which is mapped to an
interrupt vector(integer) by the interrupt controller. The CPU uses the
Interrupt Descriptor Table(IDT) to map the interrupt vectors to functions (
interrupt handlers) which are supplied by the kernel. When an interrupt arrives, the CPU indexes the IDT with the interrupt vector and runs the appropriate handler. Thus, the kernel is entered.
WM_KEYDOWNmessage is sent to the app
The HID transport passes the key down event to the
KBDHID.sysdriver which converts the HID usage into a scancode. In this case, the scan code is
KBDHID.sysdriver interfaces with the
KBDCLASS.sys(keyboard class driver). This driver is responsible for handling all keyboard and keypad input in a secure manner. It then calls into
Win32K.sys(after potentially passing the message through 3rd party keyboard filters that are installed). This all happens in kernel mode.
Win32K.sysfigures out what window is the active window through the
GetForegroundWindow()API. This API provides the window handle of the browser's address box. The main Windows "message pump" then calls
SendMessage(hWnd, WM_KEYDOWN, VK_RETURN, lParam).
lParamis a bitmask that indicates further information about the keypress: repeat count (0 in this case), the actual scan code (can be OEM dependent, but generally wouldn't be for
VK_RETURN), whether extended keys (e.g. alt, shift, ctrl) were also pressed (they weren't), and some other state.
SendMessageAPI is a straightforward function that adds the message to a queue for the particular window handle (
hWnd). Later, the main message processing function (called a
WindowProc) assigned to the
hWndis called in order to process each message in the queue.
The window (
hWnd) that is active is actually an edit control and the
WindowProcin this case has a message handler for
WM_KEYDOWNmessages. This code looks within the 3rd parameter that was passed to
wParam) and, because it is
VK_RETURNknows the user has hit the ENTER key.
KeyDownNSEvent is sent to the app
The interrupt signal triggers an interrupt event in the I/O Kit kext keyboard driver. The driver translates the signal into a key code which is passed to the OS X
WindowServerprocess. Resultantly, the
WindowServerdispatches an event to any appropriate (e.g. active or listening) applications through their Mach port where it is placed into an event queue. Events can then be read from this queue by threads with sufficient privileges calling the
mach_ipc_dispatchfunction. This most commonly occurs through, and is handled by, an
NSApplicationmain event loop, via an
When a graphical
X serveris used,
Xwill use the generic event driver
evdevto acquire the keypress. A re-mapping of keycodes to scancodes is made with
X serverspecific keymaps and rules. When the scancode mapping of the key pressed is complete, the
X serversends the character to the
window manager(DWM, metacity, i3, etc), so the
window managerin turn sends the character to the focused window. The graphical API of the window that receives the character prints the appropriate font symbol in the appropriate focused field.
The browser now has the following information contained in the URL (Uniform Resource Locator):
Protocol"http" Use 'Hyper Text Transfer Protocol'
Resource"/" Retrieve main (index) page
When no protocol or valid domain name is given the browser proceeds to feed the text given in the address box to the browser's default web search engine. In many cases the URL has a special piece of text appended to it to tell the search engine that it came from a particular browser's URL bar.
google.comthere won't be any, but if there were the browser would apply
Punycode_ encoding to the hostname portion of the URL.
downgrade attack_, which is why the HSTS list is included in modern web browsers.)
gethostbynamelibrary function (varies by OS) to do the lookup.
gethostbynamechecks if the hostname can be resolved by reference in the local
hostsfile (whose location
varies by OS_) before trying to resolve the hostname through DNS.
gethostbynamedoes not have it cached nor can find it in the
hostsfile then it makes a request to the DNS server configured in the network stack. This is typically the local router or the ISP's caching DNS server.
ARP processbelow for the DNS server.
ARP processbelow for the default gateway IP.
In order to send an ARP (Address Resolution Protocol) broadcast the network stack library needs the target IP address to lookup. It also needs to know the MAC address of the interface it will use to send out the ARP broadcast.
The ARP cache is first checked for an ARP entry for our target IP. If it is in the cache, the library function returns the result: Target IP = MAC.
If the entry is not in the ARP cache:
The route table is looked up, to see if the Target IP address is on any of the subnets on the local route table. If it is, the library uses the interface associated with that subnet. If it is not, the library uses the interface that has the subnet of our default gateway.
The MAC address of the selected network interface is looked up.
The network library sends a Layer 2 (data link layer of the
OSI model_) ARP request:
Sender MAC: interface:mac:address:here Sender IP: interface.ip.goes.here Target MAC: FF:FF:FF:FF:FF:FF (Broadcast) Target IP: target.ip.goes.here
Depending on what type of hardware is between the computer and the router:
ARP Reply(see below)
ARP Reply(see below).
If the computer is connected to a switch, the switch will check its local CAM/MAC table to see which port has the MAC address we are looking for. If the switch has no entry for the MAC address it will rebroadcast the ARP request to all other ports.
If the switch has an entry in the MAC/CAM table it will send the ARP request to the port that has the MAC address we are looking for.
If the router is on the same "wire", it will respond with an
ARP Reply(see below)
Sender MAC: target:mac:address:here Sender IP: target.ip.goes.here Target MAC: interface:mac:address:here Target IP: interface.ip.goes.here
Now that the network library has the IP address of either our DNS server or the default gateway it can resume its DNS process:
Once the browser receives the IP address of the destination server, it takes that and the given port number from the URL (the HTTP protocol defaults to port 80, and HTTPS to port 443), and makes a call to the system library function named
socketand requests a TCP socket stream -
At this point the packet is ready to be transmitted through either:
Cellular data network_
For most home or small business Internet connections the packet will pass from your computer, possibly through a local network, and then through a modem (MOdulator/DEModulator) which converts digital 1's and 0's into an analog signal suitable for transmission over telephone, cable, or wireless telephony connections. On the other end of the connection is another modem which converts the analog signal back into digital data to be processed by the next
network node_ where the from and to addresses would be analyzed further.
Most larger businesses and some newer residential connections will have fiber or direct Ethernet connections in which case the data remains digital and is passed directly to the next
network node_ for processing.
Eventually, the packet will reach the router managing the local subnet. From there, it will continue to travel to the autonomous system's (AS) border routers, other ASes, and finally to the destination server. Each router along the way extracts the destination address from the IP header and routes it to the appropriate next hop. The time to live (TTL) field in the IP header is decremented by one for each router that passes. The packet will be dropped if the TTL field reaches zero or if the current router has no space in its queue (perhaps due to network congestion).
This send and receive happens multiple times following the TCP connection flow:
The client computer sends a
ClientHellomessage to the server with its Transport Layer Security (TLS) version, list of cipher algorithms and compression methods available.
The server replies with a
ServerHellomessage to the client with the TLS version, selected cipher, selected compression methods and the server's public certificate signed by a CA (Certificate Authority). The certificate contains a public key that will be used by the client to encrypt the rest of the handshake until a symmetric key can be agreed upon.
The client verifies the server digital certificate against its list of trusted CAs. If trust can be established based on the CA, the client generates a string of pseudo-random bytes and encrypts this with the server's public key. These random bytes can be used to determine the symmetric key.
The server decrypts the random bytes using its private key and uses these bytes to generate its own copy of the symmetric master key.
The client sends a
Finishedmessage to the server, encrypting a hash of the transmission up to this point with the symmetric key.
The server generates its own hash, and then decrypts the client-sent hash to verify that it matches. If it does, it sends its own
Finishedmessage to the client, also encrypted with the symmetric key.
From now on the TLS session transmits the application (HTTP) data encrypted with the agreed symmetric key.
Sometimes, due to network congestion or flaky hardware connections, TLS packets will be dropped before they get to their final destination. The sender then has to decide how to react. The algorithm for this is called
TCP congestion control. This varies depending on the sender; the most common algorithms are
cubicon newer operating systems and
New Reno_ on almost all others.
congestion window_ based on the
maximum segment size_ (MSS) of the connection.
If the web browser used was written by Google, instead of sending an HTTP request to retrieve the page, it will send a request to try and negotiate with the server an "upgrade" from HTTP to the SPDY protocol.
If the client is using the HTTP protocol and does not support SPDY, it sends a request to the server of the form::
GET / HTTP/1.1 Host: google.com Connection: close [other headers]
[other headers]refers to a series of colon-separated key-value pairs formatted as per the HTTP specification and separated by single newlines. (This assumes the web browser being used doesn't have any bugs violating the HTTP spec. This also assumes that the web browser is using
HTTP/1.1, otherwise it may not include the
Hostheader in the request and the version specified in the
GETrequest will either be
HTTP/1.1 defines the "close" connection option for the sender to signal that the connection will be closed after completion of the response. For example,
HTTP/1.1 applications that do not support persistent connections MUST include the "close" connection option in every message.
After sending the request and headers, the web browser sends a single blank newline to the server indicating that the content of the request is done.
The server responds with a response code denoting the status of the request and responds with a response of the form::
200 OK [response headers]
Followed by a single newline, and then sends a payload of the HTML content of
www.google.com. The server may then either close the connection, or if headers sent by the client requested it, keep the connection open to be reused for further requests.
If the HTTP headers sent by the web browser included sufficient information for the webserver to determine if the version of the file cached by the web browser has been unmodified since the last retrieval (ie. if the web browser included an
ETagheader), it may instead respond with a request of the form::
304 Not Modified [response headers]
and no payload, and the web browser instead retrieve the HTML from its cache.
After parsing the HTML, the web browser (and server) repeats this process for every resource (image, CSS, favicon.ico, etc) referenced by the HTML page, except instead of
GET / HTTP/1.1the request will be
GET /$(URL relative to www.google.com) HTTP/1.1.
If the HTML referenced a resource on a different domain than
www.google.com, the web browser goes back to the steps involved in resolving the other domain, and follows all steps up to this point for that domain. The
Hostheader in the request will be set to the appropriate server name instead of
The HTTPD (HTTP Daemon) server is the one handling the requests/responses on the server-side. The most common HTTPD servers are Apache or nginx for Linux and IIS for Windows.
TRACE). In the case of a URL entered directly into the address bar, this will be
Once the server supplies the resources (HTML, CSS, JS, images, etc.) to the browser it undergoes the below process:
The browser's functionality is to present the web resource you choose, by requesting it from the server and displaying it in the browser window. The resource is usually an HTML document, but may also be a PDF, image, or some other type of content. The location of the resource is specified by the user using a URI (Uniform Resource Identifier).
The way the browser interprets and displays HTML files is specified in the HTML and CSS specifications. These specifications are maintained by the W3C (World Wide Web Consortium) organization, which is the standards organization for the web.
Browser user interfaces have a lot in common with each other. Among the common user interface elements are:
Browser High-Level Structure
The components of the browsers are:
The rendering engine starts getting the contents of the requested document from the networking layer. This will usually be done in 8kB chunks.
The primary job of the HTML parser is to parse the HTML markup into a parse tree.
The parsing algorithm
HTML cannot be parsed using the regular top-down or bottom-up parsers.
The reasons are:
document.write()calls) can add extra tokens, so the parsing process actually modifies the input.
Unable to use the regular parsing techniques, the browser utilizes a custom parser for parsing HTML. The parsing algorithm is described in detail by the HTML5 specification.
The algorithm consists of two stages: tokenization and tree construction.
Actions when the parsing is finished
At this stage the browser marks the document as interactive and starts parsing scripts that are in "deferred" mode: those that should be executed after the document is parsed. The document state is set to "complete" and a "load" event is fired.
Note there is never an "Invalid Syntax" error on an HTML page. Browsers fix any invalid content and go on.
styleattribute values using
"CSS lexical and syntax grammar"_
StyleSheet object, where each object contains CSS rules with selectors and objects corresponding CSS grammar.
relatively, or other complex features are used. See http://dev.w3.org/csswg/css2/ and http://www.w3.org/Style/CSS/current-work for more details.
During the rendering process the graphical computing layers can use general purpose
CPUor the graphical processor
GPUfor graphical rendering computations the graphical software layers split the task into multiple pieces, so it can take advantage of
GPUmassive parallelism for float point calculations required for the rendering process.
Creative Commons Zero: https://creativecommons.org/publicdomain/zero/1.0/ .. _
"CSS lexical and syntax grammar": http://www.w3.org/TR/CSS2/grammar.html .. _
Punycode: https://en.wikipedia.org/wiki/Punycode .. _
Ethernet: http://en.wikipedia.org/wiki/IEEE802.3 ..
WiFi: https://en.wikipedia.org/wiki/IEEE802.11 ..
Cellular data network: https://en.wikipedia.org/wiki/Cellulardatacommunicationprotocol ..
analog-to-digital converter: https://en.wikipedia.org/wiki/Analog-to-digitalconverter ..
network node: https://en.wikipedia.org/wiki/Computernetwork#Networknodes .. _
TCP congestion control: https://en.wikipedia.org/wiki/TCPcongestioncontrol .. _
cubic: https://en.wikipedia.org/wiki/CUBICTCP ..
New Reno: https://en.wikipedia.org/wiki/TCPcongestioncontrol#TCPNewReno .. _
congestion window: https://en.wikipedia.org/wiki/TCPcongestioncontrol#Congestionwindow ..
maximum segment size: https://en.wikipedia.org/wiki/Maximumsegmentsize .. _
varies by OS: https://en.wikipedia.org/wiki/Hosts%28file%29#Locationinthefilesystem ..
简体中文: https://github.com/skyline75489/what-happens-when-zhCN ..
한국어: https://github.com/SantonyChoi/what-happens-when-KR .. _
日本語: https://github.com/tettttsuo/what-happens-when-JA .. _
downgrade attack: http://en.wikipedia.org/wiki/SSLstripping ..
OSI Model: https://en.wikipedia.org/wiki/OSImodel