Google Chrome 77 enables Site Isolation for better security on Android
Google Chrome is undoubtedly one of the most popular web browsers out there and for good reason. It’s fast, it has a minimal user interface and it has some amazing features that you won’t find on any other browser. Google also lays emphasis on making Chrome as secure as possible and it keeps adding new feature ensure the same. Site Isolation is one such feature that was introduced with Chrome 67 back in April 2018. The feature essentially brought about a major change in Chrome’s architecture, limiting each renderer process to documents from a single site. This allowed Chrome to rely on the operating system to prevent attacks between processes, and therefore, between sites. Now, this feature is finally making its way to Chrome on Android with the Chrome 77 update.
Site Isolation on Chrome for Android
Much like Site Isolation on desktop, the feature uses OS processes to make it difficult for attackers to steal data from other websites. Most importantly, it offers the most effective defense against Spectre-like CPU vulnerabilities. However, since Site Isolation is a fairly resource intensive feature, it is bound to cause issues on Android devices. Which is why Chrome for Android makes use of a slimmer form of Site Isolation that only works on high-value sites where users log in with a password.
Following the update, once Chrome identifies a password interaction on a website, future visits to that website will be protected by Site Isolation. This means that the website will be rendered in its own dedicated renderer process, keeping it isolated from other websites. If you navigate to a different website, the tab will automatically switch processes and cross-site iframes will be put into a different process altogether. Thankfully, Chrome has already crowdsourced a list of websites where mobile users enter passwords most frequently, which means that you’ll be protected on these sites right from the get-go.
Google promises that the implementation is just a behind-the-scenes architectural change that shouldn’t change the experience for users or developers. Although, since there is a 3-5% total memory overhead in real workloads, so you might notice some effect on performance. It’s worth noting that following the update, password-triggered Site Isolation will be made available to 99% of Chrome users who have a device with at least 2GB of RAM, while the remaining 1% will be held back to monitor and improve performance. In case password-triggered Site Isolation just doesn’t cut it for you, you can also enable full Site Isolation via chrome://flags/#enable-site-per-process. But before you do that, take note that isolating all websites will have a higher memory cost, resulting in poorer performance.
Updates for Site Isolation on Desktop
Chrome 77 for desktop also includes some changes to Site Isolation which will help defend against significantly stronger attacks. Previously, Site Isolation targeted Spectre-like attacks that could leak data from a particular renderer process. With the update, Site Isolation will now be able to deal with severe attacks in which the rederer process is fully compromised via a security bug.
In Chrome 77, Site Isolation will help protect several types of sensitive data from such compromised renderer processes, including:
- Authentication: Cookies and stored passwords can only be accessed by processes locked to the corresponding site.
- Network data: Site Isolation uses Cross-Origin Read Blocking to filter sensitive resource types (e.g., HTML, XML, JSON, PDF) from a process, even if that process tries to lie to Chrome’s network stack about its origin. Resources labeled with a Cross-Origin-Resource-Policy header are also protected.
- Stored data and permissions: Renderer processes can only access stored data (e.g., localStorage) or permissions (e.g., microphone) based on the process’s site lock.
- Cross-origin messaging: Chrome’s browser process can verify the source origin of postMessage and BroadcastChannel messages, preventing the renderer process from lying about who sent the message.
Additionally, Google plans to continue improving compromised renderer protection in the following ways:
- Bringing these protections to Chrome for Android: This requires extra work to handle the case where only certain sites are isolated.
- Protecting CSRF defenses: Sec-Fetch-Site and Origin request headers can be verified to prevent compromised renderers from forging them.
- Protecting more types of data: We are investigating how to protect additional data types by default with Cross-Origin Read Blocking.
- Removing exceptions: We are working to remove cases where these protections may not yet apply. For example, a small set of extensions still have broader cross-site access from content scripts, until they update to the new security model. We have already worked with extension authors to bring the affected Chrome user population down from 14% to 2%, as well as harden other extension security issues. Also, Site Isolation does not apply to Flash, which is currently disabled by default and is on a deprecation path.
Source: Chromium Blog