Google has improved the Site Isolation feature in Chrome to help defend against more types of attacks.
Through Site Isolation, Chrome was so far able to defend against side-channel attacks such as Spectre, which could leak data from a given renderer process.
Now, it can handle attacks where the renderer process is fully compromised via a security bug, such as memory corruption or Universal Cross-Site Scripting (UXSS), the Internet giant says.
Site Isolation in Chrome 77, Google says, can help protect sensitive data from such compromised renderer processes.
It ensures that only processes locked to the corresponding site have access to cookies and stored passwords and also uses Cross-Origin Read Blocking to filter sensitive resource types (e.g., HTML, XML, JSON, PDF) from a process, even if it attempts to mislead regarding its origin. Additionally, it protects resources with a Cross-Origin-Resource-Policy header.
Site Isolation in Chrome now also ensures that renderer processes can only access stored data (e.g., localStorage) or permissions (e.g., microphone) based on the process’ site lock and that Chrome’s process can verify the source origin of postMessage and BroadcastChannel messages.
Google is also broadening the scope of the Chrome Vulnerability Reward Program to also cover cross-site data disclosures involving compromised renderers.
For a limited time, the Internet search company may pay higher rewards for security bugs affecting Site Isolation compared to those normally offered for information disclosure.
With Chrome 77, Google also announced, Site Isolation is available for Android users.
“Like Site Isolation on desktop, this launch leverages OS processes to make it harder for attackers to steal data from other websites. In particular, it offers the most effective defense against Spectre-like CPU vulnerabilities,” Google says.
To ensure the feature does not affect user experience, given that the mobile platform is a resource-constrained environment, Chrome brings a “slimmer form of Site Isolation” to Android, which is only enabled for high-value sites, where users log in with a password.
“This protects sites with sensitive data that users likely care about, such as banks or shopping sites, while allowing process sharing among less critical sites,” Google says.
Chrome remembers sites with password interactions and keeps a list of isolated sites locally on the device. It clears the list when the user clears their browsing history or other site data. The browser also isolates a crowdsourced list of sites frequently accessed by mobile users.
Android users and developers should not experience performance impact, although Site Isolation on desktop devices results in a 3-5% total memory overhead in real workloads.
Google has enabled Site Isolation for 99% of users on Android devices with enough RAM (2GB or more). The 1% holdback is to monitor and improve performance.
“While we investigate how to bring this support to more devices, users who desire the most complete protection for their devices may manually opt in to full Site Isolation via chrome://flags/#enable-site-per-process, which will isolate all websites but carry higher memory cost,” Google explains.
The Internet giant is also working on additional ways of detecting when a site should be protected by Site Isolation, such as an opt-in mechanism for website operators.
