Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Quietly Enables 'Site Isolation' Feature for 99% of Chrome Desktop Users (bleepingcomputer.com)

Posted by msmash on from the how-about-that dept.

Google has quietly enabled a security feature called Site Isolation for 99% of its desktop users on Windows, Mac, Linux, and Chrome OS. This happened in Chrome 67, released at the end of May. From a report: Site Isolation isn't a new feature per-se, being first added in Chrome 63, in December 2017. Back then, it was only available if users changed a Chrome flag and manually enabled it in each of their browsers. The feature is an architectural shift in Chrome's modus operandi because when Site Isolation is enabled, Chrome runs a different browser process for each Internet domain. Initially, Google described Site Isolation as an "additional security boundary between websites," and as a way to prevent malicious sites from messing with the code of legitimate sites.

22 of 70 comments (clear)

  1. 10% by phantomfive · · Score: 5, Informative

    10% memory usage increase, according to the article. Defends against spectre and meltdown somewhat.

    --
    "First they came for the slanderers and i said nothing."
    1. Re:10% by Z00L00K · · Score: 2

      But is the site isolation complete so that all cached info is now tied to the site you browse and third party cookies and cached data as well is living in total separation?

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    2. Re:10% by phantomfive · · Score: 1

      I was wondering that, too. Merely forking the code isn't enough, if your stored passwords get forked, too. I didn't wonder enough to read the source code, though.

      --
      "First they came for the slanderers and i said nothing."
  2. Re:Registered /.ers review of the Win64 model by DontBeAMoran · · Score: 1, Offtopic

    We need this running on a Raspberry Pi Zero, so I can have an independant DNS server internally that all our devices can connect to it (Nintendo, Playstation, Xbox, PCs/Macs, smartphones, tablets, etc).

    --
    #DeleteFacebook
  3. Huh. by waspleg · · Score: 1

    I was under the impression they were already doing that. I don't use Chrome, though, so I guess I didn't notice.

  4. Is it just for the URL in the address bar? by dwywit · · Score: 4, Interesting

    Or does it cover each and every third-party domain, e.g. all the advertising domains pinged by landing on a web page?

    Those domains are just as dangerous, if not more so, than the domain shown in the address bar.

    --
    They sentenced me to twenty years of boredom
  5. Disabled by default? by iamagloworm · · Score: 5, Informative

    99% of users? I am on the latest chrome and it was disabled for me. Check at chrome://flags/#enable-site-per-process

    1. Re:Disabled by default? by Gavagai80 · · Score: 2

      Same for me, on Chrome 67. Perhaps it's only enabled for new installations for now?

      --
      This space intentionally left blank
    2. Re:Disabled by default? by onco_p53 · · Score: 2

      Yes off for me as well, thanks for the link to change the option.

    3. Re:Disabled by default? by Pepsiman · · Score: 1

      The description of the flag says:
      "When disabled, the site isolation mode will be determined by enterprise policy or field trial."

      The flag is shown as disabled for me, but it's obvious from Chrome's task manager that site isolation is enabled.

    4. Re:Disabled by default? by arglebargle_xiv · · Score: 1

      99% of users? I am on the latest chrome and it was disabled for me. Check at chrome://flags/#enable-site-per-process

      I've tried this with my copy of Chrome and it reports: "Firefox error: The address isnâ(TM)t valid". I'm running Chrome version.... um, 61 "Quantum". Maybe that's the problem, I need to wait for Mozilla to release version 67?

    5. Re:Disabled by default? by Actually,+I+do+RTFA · · Score: 1

      Same for me, on Chrome 67. Perhaps it's only enabled for new installations for now?

      Given the number of users Slashdot has, and the sampling bias in reporting bugs, it seems far more likely you and the GP are just still part of the 1%.

      --
      Your ad here. Ask me how!
    6. Re:Disabled by default? by Gavagai80 · · Score: 1

      Well, it's nice to finally be part of the 1% even if it's the wrong 1%.

      --
      This space intentionally left blank
  6. Re:Registered /.ers review of the Win64 model by nullbort · · Score: 3, Informative

    https://pi-hole.net/

  7. Well great by Niobe · · Score: 1

    Now I don't need to turn it on manually.

  8. So the approved ads by AHuxley · · Score: 3, Funny

    really know the user is looking and only approved ads get displayed.

    --
    Domestic spying is now "Benign Information Gathering"
  9. Re:Registered /.ers review of the Win64 model by f3rret · · Score: 1

    The switched your meds again, eh?

    --
    Admit nothing. Deny Everything. Make Counter-accusations.
  10. Re:F3rret FAKE NAME fuck... apk by f3rret · · Score: 1

    Actually dude my legal name is f3rret.

    --
    Admit nothing. Deny Everything. Make Counter-accusations.
  11. Re:Registered /.ers review of the Win64 model by DontBeAMoran · · Score: 1

    Thank you.

    --
    #DeleteFacebook
  12. Is this just Specter, etc? by Actually,+I+do+RTFA · · Score: 1

    Since the pages can communicate to each other (and presumably access information on each other as allowed by the JS spec), is this just about protecting people from Specter, etc?

    --
    Your ad here. Ask me how!
    1. Re:Is this just Specter, etc? by Specter · · Score: 1

      Muhahaha! There is no protection from me!

  13. Site/Tab isolation by EdmundSS · · Score: 1

    What I'd like to see is more extensive than that: If you log in to a website in tab A, then tab B has no access to that (especially cookies) unless tab B is created off tab A (e.g. Open in New Window), or explicitly authorised.