Site isolation is a web browser security feature that groups websites into sandboxed processes by their associated origins. This technique enables the process sandbox to block cross-origin bypasses that would otherwise be exposed by exploitable vulnerabilities in the sandboxed process.
The feature was first proposed publicly by Charles Reis and others, although Microsoft was independently working on implementation in the Gazelle research browser at the same time. The approach initially failed to gain traction due to the large engineering effort required to implement it in a fully featured browser, and concerns around the real-world performance impact of potentially unbounded process use.
In May 2013 a member of Google Chrome's Site Isolation Team announced on the chromium-dev mailing list that they would begin landing code for out-of-process i-frames (OOPIF).[1] This was followed by a Site Isolation Summit at BlinkOn in January 2015, which introduced the eight-engineer team and described the motivation, goals, architecture, proposed schedule, and progress made so far. The presentation also included a demo of Chrome running with an early prototype of site isolation.[2]
In 2018, following the discovery of the Spectre and Meltdown vulnerabilities to the public, Google accelerated the work, culminating in a 2019 release of the feature. In 2021, Firefox also launched their own version of site isolation which they had been working on under the codename Project Fission.
Despite the security benefits of this feature, it does have limitations and tradeoffs. While it provides a baseline protection against side channel attacks such as Spectre and Meltdown, full protection against such attacks requires developers to explicitly enable certain advanced browser protections.
The main tradeoff of site isolation involves the added resource consumption necessitated by the additional processes it requires. This limits its effectiveness on some classes of devices, and can be abused in some cases to enable resource exhaustion attacks.
- ^ Oskov, Nasko (1 May 2013). "PSA: Tracking changes for out-of-process iframes". chromium-dev (Mailing list). Retrieved 30 August 2024.
- ^ Site Isolation Summit (YouTube). 29 January 2015. Retrieved 30 August 2024.