In 2018, Google launched Site Isolation in Chrome 67 to protect against the Spectre leak. This feature uses operating system processes to make it more difficult for attackers to steal data from other websites. This feature can stop even more advanced attacks in the new Chrome 77.
Spectre is an error that exploits the fact that browsers combine JavaScript and other content from two or more websites into a single process. This approach made it possible for an attacker’s website to steal sensitive data from another website.
Google solved the problem with software for its Chrome browser by introducing Site Isolation. Site Isolation is a function that ensures that a process of the rendering engine of Chrome – Blink – contains content from a maximum of one site. As a result, attack websites can no longer access the data they may want to steal.
Site Isolation will be expanded for desktops in Chrome 77. Google engineers Alex Moshchuk and Lukasz Anforowicz tell us in a blog post that the function can now also deal with more serious attacks in which the renderer process has been completely compromised. Chrome, therefore, offers better protection against theft of data and passwords.
More restrictions on processes
Site Isolation imposes more restrictions on processes in Chrome 77. For example, only processes belonging to the corresponding website may access cookies and stored passwords.
Also, sensitive resource types – such as HTML, XML and PDF – are filtered out of a process via Cross-Origin Read Blocking. In addition, resources with a Cross-Origin Resource-Policy header label are protected by Site Isolation.
Moreover, renderer processes only gain access to stored data and permissions as the microphone based on the site look of a process. The browser process of Chrome can further verify the source of postMessage and BroadcastChannel messages. As a result, the renderer process cannot lie about who is sending a message and steal data.
Also to mobile
Site Isolation is now also being rolled out to the mobile versions of Chrome on Android and iOS. However, the function is limited in this version of the browser. Site Isolation is only used for websites where a password has to be entered.
According to Ars Technica, this is because Site Isolation reduces performance. Site Isolation forces Chrome to create more processes that can use up to 5 percent more memory. Mobile devices have less memory than desktops and laptops, so the consequences may be greater.