Security Experts:

Connect with us

Hi, what are you looking for?



Site Isolation is Coming to Firefox

Mozilla is getting ready to boost the security of Firefox users with the addition of Site Isolation in the not too distant future. 

Mozilla is getting ready to boost the security of Firefox users with the addition of Site Isolation in the not too distant future. 

Dubbed Project Fission, the initiative aims to split cross-site iframes into different processes than their parent frame, marking a major step in the evolution of Firefox’s process model. 

The goal, Mozilla developer Nika Layzell says, is to protect not only against known vulnerabilities, but also against potential future vulnerabilities. 

The initiative is a reaction to Spectre and Meltdown, major CPU security vulnerabilities revealed last year and found to impact almost all modern processors. The bugs could lead to exfiltration of secrets stored in memory of other running programs via side channels, including cryptographic keys and passwords.  

The timing attack posed a serious threat to browsers, mainly due to the fact that webpages often serve JavaScript from multiple domains that run in the same process.

“We were able to mitigate these vulnerabilities right away. However, these mitigations may not save us in the future if another security vulnerability is released exploiting the same underlying problem of sharing processes (and hence, memory) between different domains, some of which may be malicious,” Layzell notes. 

Google has already addressed such concerns with the introduction of Site Isolation in Chrome at the end of 2017, and Mozilla is currently working on making a similar move with Project Fission, which has been under development for the past year. 

“In the coming weeks and months, we’ll need help from all Firefox teams to adapt our code to a post-Fission browser architecture. Fission is a massive project, spanning across many different teams, so keeping track of what everyone is doing is a pretty big task,” Layzell says. 

With much of the initial infrastructure ground work already done, Mozilla is moving to keeping track of Project Fission’s evolution in milestones (collections of new features and improved functionality), with Milestone 1 currently targeted for the end of February. 

However, Layzell hasn’t yet provided an estimated availability date for Site Isolation in Firefox. 

Related: Researchers Disclose 7 New Meltdown, Spectre Attacks

Related: Chrome Improves Security for Enterprise Use

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet