Google introduced 'Site Isolation' in Chrome for desktop in 2018, which feature brings additional line of defense by ensuring that the pages from different websites are opened in different sandbox processes on the browser.
The security feature was enabled by default in the web browser starting with the release of Chrome 67, in a bid to thwart the infamous Spectre and Meltdown attack, and also protect against many other online threats. With the browser getting its own isolated process, it will become harder for malicious websites to access cross-site data using such side-channel vulnerability.
While the Google research team in a proof-of-concept demonstrated how an attacker could employ JavaScript to read the address space of a Chrome process, via the open tab, and also access site credentials that was opened. The Site Isolation feature will help to protect all types of sensitive data, including cookies, stored passwords, network data, stored authentication, and also cross-origin messaging that aid sites to securely relay messages across domains.
The availability of the feature for Android starts with Chrome 77, and has been enabled for about 99% of users running Android devices with a RAM of at least 2GB, and a 1% holdback for monitoring performance.
Albeit, the site isolation in Chrome for Android doesn't sandbox all the websites, unlike what is the case with Chrome for desktops; it protect only highly-sensitive information websites where users credentials are entered or accessed. But you can forcefully enable the protection to isolate all sites by an opt-in to full Site Isolation on chrome://flags/#enable-site-per-process settings page.
And once the feature is active for a user, Chrome will keep list of isolated sites stored locally on the user's device, which will help the browser to automatically turn on the feature whenever the user revisit any of the sites.
No comments