Chrome 77 for Android Gets Google's 'Site Isolation' Feature to Protect Against Spectre-Like Attacks

Chrome 77 for Android has received the 'Site Isolation' feature that Google initially rolled out to desktop users through Chrome 67 back in July last year. The new feature helps defend users majorly against attacks that could leverage the Spectre vulnerability to gain sensitive data access from a process. Initially, the Site Isolation feature on Android devices is enabled only for "high-value sites" where users log in using a password. The search giant, however, does have the plan to optimise the feature and expand its presence to further enhance security for Chrome users on the Android platform.

As detailed last year, the Site Isolation feature designed to isolate the browser from rendering the content of each website opened on the system and use a dedicated process for every single site. This restricts the sharing of processes between multiple sites and helps avoid attacks driven by vulnerabilities such as Spectre that was disclosed last year.

"We started isolating all sites for desktop users back in Chrome 67, and now we're excited to enable it on Android for sites that users log into in Chrome 77," Google writes in a security-focussed blog post.

The Site Isolation feature uses resources in the background to enhance security on Chrome 77 for Android that was released last month. This, thus, impacts the performance to some extent.

However, Google says unlike its desktop version that isolates all websites, the feature on Android is turned on only for high-value sites that require login details. "This protects sites with sensitive data that users likely care about, such as banks or shopping sites, while allowing process sharing among less critical sites," the company notes in a separate post published on the Chromium blog.

To ensure that the change won't largely impact the performance, Google has enabled the Site Isolation feature only for Android devices that have at least 2GB of RAM. The Chrome team does have plans to expand it to other devices in the future and is working on "allowing website operators to opt in any site to the Site Isolation, without requiring user login". Also, users can opt in to the full Site Isolation experience that is available on desktops by manually enabling the option from "chrome://flags/#enable-site-per-process".

In addition to the arrival of the Site Isolation feature for Android devices, Google has upgraded its presence on desktops to help protect against "significantly stronger attacks" through Chrome 77.

The post on the Chromium blog highlights that current implementation of the Site Isolation feature protects sensitive data from the following compromised renderer processes:

• Authentication: Cookies and stored passwords can only be accessed by processes locked to the corresponding site.
• Network data: Site Isolation uses Cross-Origin Read Blocking to filter sensitive resource types (e.g., HTML, XML, JSON, PDF) from a process, even if that process tries to lie to Chrome's network stack about its origin.
• Resources labelled with a Cross-Origin-Resource-Policy header are also protected.
• Stored data and permissions: Renderer processes can only access stored data (e.g., localStorage) or permissions (e.g., microphone) based on the process's site lock.
• Cross-origin messaging: Chrome's browser process can verify the source origin of postMessage and BroadcastChannel messages, preventing the renderer process from lying about who sent the message.

Additionally, Google is in the development to improve the existing compromised renderer protections by adding CSRF defenses and protecting additional data types by default using Cross-Origin Read Blocking. It is also working to remove cases where the planned protections have not yet applied.