Following the disclosure of Spectre and Meltdown CPU vulnerabilities earlier this year, the entire tech industry has been working to secure devices. In the current stable version of Chrome, Google has widely rolled out a security feature called Site Isolation to protect desktop browsers against Spectre.
Spectre takes advantage of a feature, which is intended to improve performance, found in most CPUs to read memory in a process’ address space. On browsers, a malicious website could steal data or login information from other page that are currently open.
For example, cross-site iframes and cross-site pop-ups typically stayed in the same process as the page that created them. This would allow a successful Spectre attack to read data (e.g., cookies, passwords, etc.) belonging to other frames or pop-ups in its process.
Site Isolation has the browser render content for each open website in a dedicated process that is separated from other pages. Before Spectre, Chrome’s Security team has already been working towards this major architectural change for several years.
Site Isolation is a large change to Chrome’s architecture that limits each renderer process to documents from a single site. As a result, Chrome can rely on the operating system to prevent attacks between processes, and thus, between sites. Note that Chrome uses a specific definition of “site” that includes just the scheme and registered domain. Thus, https://google.co.uk would be a site, and subdomains like https://maps.google.co.uk would stay in the same process.
With the security feature enabled, data belonging to other websites will not be loaded in the same process as the malicious web page. This reduces the amount of data an attacker could steal and “significantly reduces the threat posed by Spectre,” according to Google.
When Site Isolation is enabled, each renderer process contains documents from at most one site. This means all navigations to cross-site documents cause a tab to switch processes. It also means all cross-site iframes are put into a different process than their parent frame, using “out-of-process iframes.”
This change to how Chrome works should “generally” not be noticeable to end users or web developers. However, there is a “10-13% total memory overhead in real workloads due to the larger number of processes.” While Site Isolation creates more processes, Google notes that each renderer is “smaller, shorter-lived, and has less contention internally.”
As of Chrome 67, Site Isolation is enabled for 99% of Windows, Mac, Linux, and Chrome OS users. That left out percentage is meant to monitor and improve performance, which Google is working towards optimizing. The company is also planning to have Site Isolation address more than Spectre in the future, including protecting against fully compromised renderer processes.
Moving forward, Google plans to extend Site Isolation to Chrome for Android and is working towards addressing known issues. With Chrome 68, Site Isolation can be manually enabled on mobile using the below flag, as well as with enterprise policies.