- Chrome’s website isolation has become a lot better now, preventing most side-channel attacks.
- This feature was on by default since version 67 but was improved and implemented on Android now as well.
- The trade-off is the need to allocate more resources to Chrome, and RAM in particular.
Chrome’s Site Isolation has just been improved to the point that the Chrome Security team envisioned since version 67 when it was first introduced. The feature is now enabled by default on all platforms, including Android devices that have at least 2GB of RAM. On the desktop, the site isolation can now defend against fully compromised renderer processes and UXSS bugs, complementing the protective spectrum and covering every “popular” exploitation scenario.
From now on, Chrome will put cross-site documents into different processes, and this will not only apply to new tabs but also to iframes that open on the active tab. Moreover, cross-site data of HTML, XML, JSON, and PDF format will not be delivered to a web page’s process, unless the server allows it through CORS. Finally, there has been an introduction of additional security checks in the renderer processes, which make it possible to detect and terminate any misbehaving ones.
What all this means is that the pages from each website will be isolated from the rest, running in a sandboxed process in the browser. This way, the information you enter on one website cannot be “grabbed” by another that is running on a different tab, for example. So, “side-channel” attacks, as well as Spectre-based attacks, will not work on Chrome and Chrome-based browsers anymore, and this is a huge development in the right direction.
However, this additional security and protection measure doesn’t come without a cost, and that cost is measured in system resources. To keep each website running on its own isolated sandbox, the browser needs to dedicate individual sets of libraries loaded in the memory, so the burden for the system increases. Overall, you should expect to see an increase in the memory usage of Chrome by 10% to 13%. On Android, the additional overhead is estimated to range between 3% and 5%, as the renderer checking process isn’t implemented there yet. This is why the site isolation feature will only be enabled if your device has more than 2GB of RAM, otherwise, your browsing experience would get severely degraded. On the desktop, and considering the hardware power than even cheaper builds enjoy today, I don’t think there's any issue.
Are you satisfied with the direction that Chrome is taking, or would you prefer a less stringent and lighter browser? Let us know where you stand in the comments section below, tell us what browser you like to use, and also join the discussion on our socials, on Facebook and Twitter.