Everything You Need to Know About Strict Site Isolation in Chrome
Google has added a new security feature in Chrome called Strict Site Isolation that is supposed to offer protection against some on-site vulnerabilities. However, the question remains how Strict Site Isolution actually benefits you? And are there any drawbacks that could affect your browsing?
For the last few days, I have been using Chrome with Strict Site Isolation enabled. It does offer extra security, but I also noticed some drawbacks that made me rethink enabling the feature. If you also want to enable Strict Site Isolation in Chrome, then you must understand whether it’s worth the security it offers or not. In today’s post, I’ll explain everything you’ll need to make the right decision.
What is Strict Site Isolation in Chrome?
When enabled, Chrome opens up a dedicated process for each website you access and creates a strict wall between them that keeps them separate. This creates a dedicated sandbox for each website where neither they can access information of other websites nor their information could be accessed by other websites.
Infected websites can take advantage of bugs in Universal Cross-site Scripting (UXSS) to access information of websites opened in other tabs, such as usernames and passwords. This is similar to the recent Meltdown and Spectra vulnerability.
After enabling Strict Site Isolation in Chrome, the websites will be isolated from other websites, therefore infected websites can’t steal information from other websites.
Do note that Chrome always opens up a new process when a new website is opened. However, after enabling Strict Site Isolation, it will also specifically halt websites from accessing data; including sharing sensitive documents.
Drawbacks of Strict Site Isolation
Although it’s a big step forward in security, but it also comes with its drawbacks. There are some temporary issues that should get fixed in the next Chrome update. Although, Strict Site Isolation also introduces a permanent drawback.
Below are the issues that you may face when you’ll enable Strict Site Isolation right now before Chrome 64 update:
- While printing pages, some areas in the pages may be blank. If that happens, you can save the page locally first and then print it.
- Gmail may not load when accessed from the Chrome apps icon. Although access through web address will still work.
- Sometimes clicking and scrolling may not work on websites.
- Some Developers tools may not work properly, such as network requests and cookies from cross-site iframes.
- I also noticed websites getting stuck more often while loading. The circled kept spinning but the website didn’t open. Although refreshing fixed the issue.
Even though the above drawbacks will be fixed soon, but there is one problem that you will have to face when Strict Site Isolation is enabled. As each website will have its ownprocess and they will be separated, Chrome will also use more memory and CPU resource than usual. The increase could be anywhere between 10–20% based on your usage. As chrome is already known for being resource hungry, this further increase in resource usage will surely not please people who have PCs with lower specs.
If Chrome is already facing problems running on your machine, then you should not enable Strict Site Isolation. Or better yet, only enable it for few sensitive sites (like your bank’s official website) and keep it disabled for others. I’ll show you how to do it below.
Enable Strict Site Isolation for all sites in Chrome
Now that you know what is Strict Site Isolation and whether you should enable it or not, let’s see how to enable it. There are two ways to do it, you can do it from hidden Chrome flag settings or by using command line flags. I’ll show you both:
Enable Strict Site Isolation from Chrome flags
In the address bar, type
chrome://flags#enable-site-per-process and hit enter. On the next page, enable “Strict site isolation” flag and relaunch Chrome using the “Relaunch” button below.
Enable Strict Site Isolation from command line flags
Depending on your operating system, you can use command line flags to enable Strict Site Isolation. The process is different in each operating system. I am going to show you how to do it in Windows. If you are using a different operating system, then checkout this guide on how to specify command line flags.
On the desktop, right-click on the Chrome shortcut and select “Properties”.
Here under the “Shortcut” tab, add space and then
--site-per-process at the end of the “Target” field. Make sure you add a space and then paste this suffix. The target field should look like this:
Now click “Apply” and whenever you will access Chrome through this shortcut, Strict Site Isolation will be enabled. You can also create two Chrome shortcuts and enable Strict Site Isolation on one and keep it disabled on the other. Although, make sure you create the secondary shortcut before you go through the above process. Otherwise, the customized setting will apply to both the shortcuts.
Enable Strict Site Isolation for particular websites
If you only want this security measure for sensitive websites, then this can also be done using command line flags.
Go through the same process as above to open the “Shortcut” tab in Chrome Properties. Now in the “Target” field, add a space and then add
--isolate-origins= directly followed by the URL of the websites without spaces and sparated by commas.
This will block the domains and any subdomains as well.
Strict Site Isolation is definitely a feature worth enabling, but it does have some drawbacks that you should consider before enabling. I will recommend waiting for Chrome 64 update to fix the bugs before you take advantage of Strict Site Isolation. However, if you are conscious you can enable it right away using the above instructions.
Originally published at www.gtricks.com on January 11, 2018.