Google has added more features to Chrome 77:
- Chrome for Android has enabled Site Isolation for sites where users enter passwords.
- On desktop platforms, Site Isolation now helps defend against attacks from fully compromised renderer processes, not just side-channel attacks.
Site Isolation on Android
Google has added Site Isolation & its benefits to Android users. Like Site Isolation on desktop, this launch leverages OS processes to make it harder for attackers to steal data from other Websites. In particular, it offers the most effective defense against Spectre-like CPU vulnerabilities.
Unlike desktop platforms where Google isolates all Sites, Chrome on Android uses a slimmer form of Site Isolation, protecting fewer Sites to keep overhead low. More specifically, Site Isolation is turned on only for high-value Sites where users log in with a password. This protects them with sensitive data that users likely care about, such as banks or shopping Sites, while allowing process sharing among less critical Sites.
Once Chrome observes a password interaction on a Website, future visits to that Site will be protected by Site Isolation. That means the Site will be rendered in its own dedicated renderer process, walled off from other Sites. Navigations to other Sites will cause a tab to switch processes, & cross-site iframes are put into a different process, becoming “out-of-process iframes.”
Chrome keeps a list of isolated Sites stored locally on the device & clears the list whenever users clear their browsing history or other Site data. To bootstrap, Chrome also isolates a crowdsourced list of Sites where mobile users have been entering passwords most frequently.
Via: Chromium blog
