Render defender
Google has extended its Site Isolation security feature to Android devices.
Site Isolation in Chrome debuted back in July 2018 as a means to secure desktop browsers against the risk of side-channel attacks like Spectre.
On desktop platforms, the applications for Site Isolation have since been expanded to defend against attacks from fully compromised renderer processes.
Full compromise might arise from memory corruption bugs or universal cross-site scripting (UXSS) logic errors.
Chrome 77 will now bring a “slimmed down” Site Isolation to Android users.
Unlike Chrome for desktops, the mobile version of the technology normally only kicks in for sites where users log in using a password (online banking, e-commerce, webmail, etc).
Using the technology comes with performance trade-offs, however – each renderer process is smaller and shorter-lived.
Even so, this equates to an incurring 3-5% total memory overhead in real workloads, according to Google.
Performance considerations prompted Google not to enable the technology by default, a setting users can optionally override in order to enable full site isolation.
In a blog post charting its progress in developing the technology, Google explains how the slimmed down version of Site Isolation will work in practice.
“Once Chrome observes a password interaction on a website, future visits to that site will be protected by Site Isolation,” it explains.
“That means the site will be rendered in its own dedicated renderer process, walled off from other sites.
“Navigations to other sites will cause a tab to switch processes, and cross-site iframes are put into a different process, becoming ‘out-of-process iframes’.”
Google has plans to make tweaks in its technology to allow website operators to opt in any site to Site Isolation, without requiring user login.
Chrome’s Site isolation is comparable with Firefox containers but arguably goes further.
In Chrome 77, Site Isolation means cookies and stored passwords can only be accessed by processes locked to the corresponding site.
In addition, “Site Isolation uses Cross-Origin Read Blocking to filter sensitive resource types (e.g., HTML, XML, JSON, PDF) from a process, even if that process tries to lie to Chrome's network stack about its origin.”
Google hopes to bring these enhanced protections to Chrome for Android.
The changes in how its browser works have prompted Google to broadening the scope of the Chrome Vulnerability Reward Program to also cover cross-site data disclosure attacks that involve compromised renderers. “
For a limited time, security bugs affecting Site Isolation may be eligible for higher rewards than the usual amount for information disclosure bugs,” it concludes.
YOU MIGHT ALSO LIKE Microsoft offers protection to Chrome and Firefox users via browser extension
