Version 67 of Google Chrome enabled site isolation by default in an effort to protect users against Spectre-based attacks.
Google has been testing Chrome site isolation since version 63, but has now decided the feature is ready for prime time to help mitigate Spectre attacks. Google described Chrome site isolation as a “large change” to the browser’s architecture “that limits each renderer process to documents from a single site. As a result, Chrome can rely on the operating system to prevent attacks between processes, and thus, between sites.”
“When site isolation is enabled, each renderer process contains documents from at most one site. This means all navigations to cross-site documents cause a tab to switch processes,” Charlie Reis, site isolator at Google, wrote in a blog post. “It also means all cross-site iframes are put into a different process than their parent frame, using ‘out-of-process iframes.’ Splitting a single page across multiple processes is a major change to how Chrome works, and the Chrome Security team has been pursuing this for several years, independently of Spectre.”
This is a major change to the previous multi-process architecture in Chrome in which there were ways to connect to other sites in the same process using iframes or cross-site pop-ups. Reis noted there are still ways an attacker could access cross-site URLs even with Chrome site isolation enabled; he warned developers to ensure “resources are served with the right MIME type and with the nosniff response header,” in order to minimize the risk of data leaks.
A source close to Google described the aim of Chrome site isolation as an effort to protect the most sensitive data, so even if new variants of Spectre or other side-channel attacks are discovered, the attack may be successful but Chrome will keep things worth stealing out of reach.
Brandon Czajka, vice CIO at Switchfast Technologies, said it’s reassuring to see Google “lead the field” by developing new features such as Chrome site isolation.
“Google’s site isolation appears to work as a means of separation. Rather than allowing Chrome to process data for all websites opened under a single renderer, site isolation separates the rendering process to limit a sites access to user data that may have been entered on other sites (or in other words, increases confidentiality),” Czajka wrote via email. “So, while a user could still fall victim to a Spectre attack, its scope should be more limited to just the malicious site rather than affording it unlimited access.”
Chrome site isolation has been enabled for 99% of users on Windows, Mac, Linux and Chrome OS, according to Google, with Android support still in the works. However, the added protection and increased number of processes will require more system resources.
“Site isolation is a significant change to Chrome’s behavior under the hood, but it generally shouldn’t cause visible changes for most users or web developers (beyond a few known issues),” Reis wrote. “Site isolation does cause Chrome to create more renderer processes, which comes with performance tradeoffs: on the plus side, each renderer process is smaller, shorter-lived, and has less contention internally, but there is about a 10-13% total memory overhead in real workloads due to the larger number of processes.”
Czajka said while performance may be one of the most important aspects for any business, “it is just one piece of the puzzle.”
“While Google’s site isolation may require more memory, and thus may slow browser performance, it is these type of security measures that help to secure the confidentiality and integrity of user data,” Czajka wrote.