Google Chrome has implemented a security feature called Strict Site Isolation which makes it harder for websites to access or steal data from other sites. When this feature is enabled, Chrome will load each site in a dedicated process which limits what the website can do. It also blocks the process from receiving certain types of sensitive documents from other sites.
This helps to prevent against a security bug in browsers, called universal cross-site scripting (UXSS), so that even if an attacker somehow bypasses the same-origin policy, they will not be able to completely own the process.
In theory, this will help prevent attacks posed by vulnerabilities such as Spectre and Meltdown. This feature will be enabled by default in Chrome 64 and later but you can use it right away via Chrome flags.
Enable Strict Site Isolation in Chrome
1. Launch Google Chrome. Make sure it’s up to date.
chrome://flags/#enable-site-per-process the address bar and hit Enter.
3. Find “Strict site isolation” on the page and click “Enable”.
4. Click the “Relaunch Now” button in the bottom right corner to apply the changes and restart the browser.
Once that’s done, Strict Site Isolation should be enabled and each website will now run in a separate process. You can undo this change at any time by clicking on the “Disable” button.
With strict site isolation turned on, you may notice an slight increase in memory usage so keep that in mind if you are using Chrome on a computer is low on RAM already. Also, cross-site iframes may appear blank when printing a webpage. To work around this, save the page locally, then open and print the saved file. Lastly, some websites may not work properly.
Chrome is already a pretty secure browser, but with site isolation, it offers more security protections for your browser. If you want to improve stability and security further, do enable it right away.
Yes, there are some potential drawbacks but most of these will be fixed in upcoming Chrome releases. The additional protections should be well worth it.
Have you started using site isolation? Let us know in the comments below.
Image credit: XSS attack on Twitter