Connect with us

Hi, what are you looking for?


Mobile & Wireless

Google Boosts Site Isolation in Chrome

Google has improved the Site Isolation feature in Chrome to help defend against more types of attacks.

Google has improved the Site Isolation feature in Chrome to help defend against more types of attacks.

Through Site Isolation, Chrome was so far able to defend against side-channel attacks such as Spectre, which could leak data from a given renderer process.

Now, it can handle attacks where the renderer process is fully compromised via a security bug, such as memory corruption or Universal Cross-Site Scripting (UXSS), the Internet giant says.

Site Isolation in Chrome 77, Google says, can help protect sensitive data from such compromised renderer processes.

It ensures that only processes locked to the corresponding site have access to cookies and stored passwords and also uses Cross-Origin Read Blocking to filter sensitive resource types (e.g., HTML, XML, JSON, PDF) from a process, even if it attempts to mislead regarding its origin. Additionally, it protects resources with a Cross-Origin-Resource-Policy header.

Site Isolation in Chrome now also ensures that renderer processes can only access stored data (e.g., localStorage) or permissions (e.g., microphone) based on the process’ site lock and that Chrome’s process can verify the source origin of postMessage and BroadcastChannel messages.

Google is also broadening the scope of the Chrome Vulnerability Reward Program to also cover cross-site data disclosures involving compromised renderers.

Advertisement. Scroll to continue reading.

For a limited time, the Internet search company may pay higher rewards for security bugs affecting Site Isolation compared to those normally offered for information disclosure.

With Chrome 77, Google also announced, Site Isolation is available for Android users.

“Like Site Isolation on desktop, this launch leverages OS processes to make it harder for attackers to steal data from other websites. In particular, it offers the most effective defense against Spectre-like CPU vulnerabilities,” Google says.

To ensure the feature does not affect user experience, given that the mobile platform is a resource-constrained environment, Chrome brings a “slimmer form of Site Isolation” to Android, which is only enabled for high-value sites, where users log in with a password.

“This protects sites with sensitive data that users likely care about, such as banks or shopping sites, while allowing process sharing among less critical sites,” Google says.

Chrome remembers sites with password interactions and keeps a list of isolated sites locally on the device. It clears the list when the user clears their browsing history or other site data. The browser also isolates a crowdsourced list of sites frequently accessed by mobile users.

Android users and developers should not experience performance impact, although Site Isolation on desktop devices results in a 3-5% total memory overhead in real workloads.

Google has enabled Site Isolation for 99% of users on Android devices with enough RAM (2GB or more). The 1% holdback is to monitor and improve performance.

“While we investigate how to bring this support to more devices, users who desire the most complete protection for their devices may manually opt in to full Site Isolation via chrome://flags/#enable-site-per-process, which will isolate all websites but carry higher memory cost,” Google explains.

The Internet giant is also working on additional ways of detecting when a site should be protected by Site Isolation, such as an opt-in mechanism for website operators.

Related: Google Patches 8 Vulnerabilities in Chrome 77

Related: Chrome 77 Released with 52 Security Fixes

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.