STE WILLIAMS

Google is touting the benefits of a recently introduced browser security feature called Site Isolation.

Site Isolation has been gradually introduced to users of the Chrome browser over several months, but now Google has officially unveiled this important piece of tech.

When Site Isolation is enabled, Chrome runs a different browser process for each internet domain. Google initially described Site Isolation as an “additional security boundary between websites,” preventing malicious sites from messing with the code of legitimate domains.

Rather than act as an enhancement to defend against cross-site scripting attacks, the technology is now been positioned as a necessary defence against the infamous Spectre vulnerability, as a blog post from Google explains.

Speculative execution side-channel attacks like Spectre are a newly discovered security risk for web browsers. A website could use such attacks to steal data or login information from other websites that are open in the browser. To better mitigate these attacks, we’re excited to announce that Chrome 67 has enabled a security feature called Site Isolation on Windows, Mac, Linux, and Chrome OS.

Site Isolation has been optionally available as an experimental enterprise policy since Chrome 63, but many known issues have been resolved since then, making it practical to enable by default for all desktop Chrome users.

Site Isolation as an optional (under the hood) feature after it was introduced with Chrome 63 in December 2017. It was enabled by default on desktops with the release of Chrome 67, at the end of May, as previously reported.

In its blog post, Google goes on to explain how the tech works, adding that it had been working on Site Isolation even before Spectre appeared in January.

When Site Isolation is enabled, each renderer process contains documents from at most one site. This means all navigations to cross-site documents cause a tab to switch processes. It also means all cross-site iframes are put into a different process than their parent frame, using “out-of-process iframes.”

Splitting a single page across multiple processes is a major change to how Chrome works, and the Chrome Security team has been pursuing this for several years, independently of Spectre.

Site Isolation changes Chrome’s behaviour under the hood, but this “generally shouldn’t cause visible changes for most users or web developers,” according to Google. Although the vast majority (99 per cent) of Chrome users are being moved onto Site Isolation, Google is keeping a one in a 100 on a temporary holdback to “monitor and improve performance”.

With Site Isolation, a single page may now be split across multiple renderer processes using out-of-process iFrames.

Spectre patches have being known to impair performance in other contexts but it doesn’t seem that the Chocolate Factory anticipates issues. The long soft launch of the technology provided plenty of time to iron out any wrinkles, after all.

Google is investigating how to extend Site Isolation coverage to Chrome for Android, where there are additional known issues. Ahead of prime time, experimental enterprise policies for enabling Site Isolation will be available in Chrome 68 for Android. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/12/chrome_site_isolation/