As part of the broader Chrome 92 update today, Google is expanding the availability of Site Isolation on Android, as well as to extensions on desktop browsers.
Site Isolation gained prominence in light of 2018’s Spectre and Meltdown CPU vulnerabilities that could allow malicious websites to steal login information or other data from pages that are currently open. To counter this, Chrome renders content for each open website in a dedicated process. The implementation on desktops is quite straightforward, and Chrome 92 extends Site Isolation to extensions so that they no longer share processes with one other.
This provides an extra line of defense against malicious extensions, without removing any existing extension capabilities.
On Android, Site Isolation was widely introduced with Chrome 77 in October of 2019. Mobile performance and battery factors inherently constrain the security measure. The “slimmer form” of Site Isolation over the past two years has worked to protect “high-value sites” where users sign in with a password. This includes banking and shopping with Chrome maintaining a list of mobile pages where credentials are frequently entered.
Site Isolation for all sites continues to be too costly for most Android devices, so our strategy is to improve heuristics for prioritizing sites that benefit most from added protection
With Chrome 92, Site Isolation is active on sites where users log in via third-party OAuth providers, like Sign in with Google. It will also be active for sites with Cross-Origin-Opener-Policy (COOP) headers, which any page can request.
Supported since Chrome 83, this header allows operators of security-conscious websites to request a new browsing context group for certain HTML documents. This allows the document to better isolate itself from untrustworthy origins, by preventing attackers from referencing or manipulating the site’s top-level window.
Like before, there’s a minimum 2GB RAM threshold for Site Isolation in Chrome for Android, though Google continues to offer a manual flag to enable for all sites at the expense of memory: chrome://flags/#enable-site-per-process.
With these considerations in place, our data suggests that the new Site Isolation improvements do not noticeably impact Chrome’s overall memory usage or performance, while protecting many additional sites with sensitive user data.
FTC: We use income earning auto affiliate links. More.
Comments