Site Isolation in Chromium Browsers

Browsers like Chrome, Microsoft Edge, Opera and Brave are built on top of Chromium. Chromium, developed by Google, is an open source codebase for a browser, and is widely considered one of the most secure codebases to build a browser on, due to the security measures implemented in it. Various features like site isolation, browser sandbox and safe browsing make it more secure than competing browsers. Today, we are going to look into a comparatively newer feature, called site isolation.



The Chromium browser, is a secure and open source browser



What is Site Isolation?


Site isolation is a security feature implemented in all modern browsers like Chrome, Firefox and Edge. It was added as an additional security measure to mitigate against attacks exploiting bugs in the browser renderer, cross-site scripting bugs and side channel attacks, like the well known Spectre attack, which exposed private data to attackers and allowed them to extract the information with a timing attack. It essentially makes it harder for untrusted websites to access or steal information from your accounts on other websites. 


It is meant to serve as an additional layer of protection, when the browser renderer has been compromised by a malicious bug. This means that even if that website you are reading an article on in one tab managed to find a bug in the renderer, it would not get the password you are typing for logging into your bank in another tab.


Why is Site Isolation needed?


Site Isolation helps protect against bugs that will be present in future Chrome releases. This volume of bugs holds steady despite years of investment into developer education, fuzzing, rewarding researchers for reporting bugs through the Google Vulnerability Reward Programs, etc.


Chrome runs every tab in a new process, which means tabs cannot share data among each other. This also prevents data from leaking between tabs. However, universal cross-site scripting (UXSS) bugs pose a huge threat.  These bugs would normally let an attacker bypass the Same Origin Policy within the same process. Though they don't give the attacker complete control over the process, they are still dangerous.


It also protects users from being exploited by webpages using side channel bugs (like the Spectre attack) and bugs in hardware (like Meltdown), which is outside Chromium’s control.


Real world usage of Site Isolation


This feature was enabled for all desktop users starting from Chrome version 67. It was subsequently added to similar chromium browsers like Opera, Vivaldi and Brace.


For Android users, it was enabled in Chrome version 77, and that too only for sites users log in to. This was due to performance concerns introduced by Site Isolation, which increased the page load times on Android.


How does Site Isolation work?


Websites can only access data from the same site, and cannot get data from across sites. First, let us look at what is classified as Same-Site or Cross-Site.



Visual explanation of differences between same-site and Cross-site. Image from MS Edge VR



If the domain in the URL bar and the domain loaded in the iframe are the same, they are considered to be from the same site.


The parent website cannot get data from an embedded iframe considered to be cross-site. This prevents sneaky websites from embedding your bank’s login page and trying to get data from the embedded page.


By separating pages from each other this way, a high level of security is achieved at the cost of negatively impacting performance a bit.


Performance Impact of Site Isolation


Since every site is being run in a new process, this might lead to negatively affecting the performance of web pages in Chromium. However, testing by the Chromium development team resulted in findings that indicated that Site Isolation affected performance in several ways, some being positive while the others were negative. Few iframes rendered faster as they were running parallel to the process running the main web page, but this led to additional memory usage due to the introduction of a new process for each frame.


Since even extensions run in a different process and are isolated from pages, it leads to additional memory requirements and may introduce latency on navigating between processes (different tabs or windows).


Conclusion


Site Isolation is a critical security feature that is not known to many developers. It works behind the scenes, unknown to most users, protecting them from new exploits looking to extract data.

You can read more about site isolation and look at the code that makes it work, at The Chromium project’s design document.


Connect with me on LinkedIn.

0 Comments