Following the recent update to Chrome 77, Google has now taken to its blog to explain explaining how site isolation works differently on Android than on desktop platforms.
On desktop platforms, site isolation works by effectively isolating cookies and stored data — including network data, passwords, and permissions — to an origin site. It also works to prevent renderer processes from lying about the origin of messages displayed to the user. Essentially, it works behind the scenes to isolate individual sites to their own processes. The data from those sites are contained within those separated processes.
In many cases, that works even if a given process is trying to “lie” about its origin. The goal is restricting access to data from other processes and sites. Although it was initially designed to ward off Spectre-like attacks, it does a good job of guarding against a wide variety of cross-site attacks. Especially concerning cross-site data theft.
The key difference for Android is that site isolation is only set to work on sites that have a log-in. More directly, Google set it up to trigger when a user signs into a site. Google intends for that to help keep the most vulnerable user data — bank account information, personal details, etc — safe. Google doesn’t apply that to all sites out of necessity.
The company explains that Android devices are typically more resource-constrained, making it more difficult to maintain performance with site isolation turned on across the board.
Full protection and future plans for site isolation in Chrome for Android
The search giant also outlined a basic plan for site isolation on Android going forward. Google hopes to eventually bring all of the same protections found in desktop Chrome to Android. Site isolation for mobile devices currently covers password log-ins for 99-percent of users where RAM exceeds 2GB. Only around one percent of devices don’t have the feature activated in order to monitor for performance issues.
Full Site Isolation is possible for users who want that. They only need to navigate to the “chrome://flags/#enable-site-per-process” URL and turn the flag on. The caveat is that a much greater amount of RAM will be used and the list Chrome keeps of isolated sites, stored locally, will grow longer until browser cache and data are cleared manually.
In the meantime, Google is working on plans to add more ways of detecting precisely which sites need to be protected by the feature. One example it provides is the addition of an opt-in for site operators. That would allow site isolation to be added without a login.
Google hopes to drive innovation here with bigger rewards for bug-finders
A significant number of the improvements added to Chrome over the past several years have come down to bug reports from security researchers. That’s no different for Chrome 77 and the upcoming update to Chrome 78. But Google is putting a special focus on improving site isolation.
In fact, now Google is expanding its Chrome Vulnerability Reward Program to encompass cross-site data disclosure attacks involving compromised renderers. That’s now that site isolation is more widespread and hardened against a wider variety of attacks. The program extension will put the feature through the same rigorous testing other features have undergone and continue to face.
To that end, the company says that for a “limited time” it’s placing a higher bounty on those security bugs. Specifically, that’s those bugs pertaining to site isolation. In some cases, those rewards are now going to be significantly higher than rewards for other information disclosure bugs.