Google has by default enabled a security feature called “Site Isolation” in its web browser with the release of Chrome 67 for all desktop users to help them protect against many online threats, including Spectre and Meltdown attack.
Site Isolation is a feature of the Google Chrome web browser that adds an additional security boundary between websites by ensuring that different sites are always put into separate processes, isolated from each other.
Since each site in the browser gets its own sandboxed process, the feature makes it harder for untrusted websites to access or steal information of your accounts on other websites.
In January this year when Google Project Zero researchers disclosed details of Spectre and Meltdown CPU vulnerabilities, the tech giant recommended Chrome desktop users to manually turn on Site Isolation feature on their devices to mitigate speculative side-channel attacks.
“Even if a Spectre attack were to occur in a malicious web page, data from other websites would generally not be loaded into the same process, and so there would be much less data available to the attacker,” Google engineer Charlie Reis explains in a blog post.
“This significantly reduces the threat posed by Spectre.”
Following the discovery of various Spectre variants and sub-variants, Google has now by default enabled this security feature for 99% of Chrome desktop users on Windows, Mac, Linux, and Chrome OS.
Given the broad scope of this new change, the company is keeping a 1 percent holdback, for now, to monitor and improve performance.
Google is also investigating ways to extend the Site Isolation feature to Chrome for Android, its mobile platform “where there are additional known issues,” but Android users can enable the feature manually.
“Experimental enterprise policies for enabling Site Isolation will be available in Chrome 68 for Android, and it can be enabled manually on Android using chrome://flags/#enable-site-per-process,” the company said
Since browsers generally allow pages to embed images and scripts from any site, Google has also added a mechanism called Cross-Origin Read Blocking (CORB) to Site Isolation feature that “tell browser to let a web application running at one origin (domain) have permission to access selected resources from a server at a different origin.”
“In addition, Site Isolation also offers more protection against a certain type of web browser security bug, called universal cross-site scripting (UXSS),” Google said.
“Security bugs of this form would normally let an attacker bypass the Same Origin Policy within the renderer process, though they don’t give the attacker complete control over the process.”
It should be noted that additional processes generated by Site Isolation could cause Chrome to use more memory, but Google promises to optimize this behavior to keep its browser fast.