Site Isolation and Content Embedders

[Charlie Reis]

Hi Content Embedders!

As you may have seen recently on chromium-dev or on the Google Security Blog, we've recently turned on Site Isolation in Chrome 67 for desktop platforms.  This is an important part of our Spectre mitigations, and it tries to minimize the amount of data worth stealing in renderer processes that might attempt Spectre attacks.  The main tradeoff is that it requires more renderer processes (e.g., for out-of-process iframes) and cross-process navigations, leading to about 10-13% total memory overhead in Chrome's measured workloads in practice.

I mention this here for two reasons:

1) You might consider testing and deploying Site Isolation (specifically, SitePerProcess) in your own Chromium-based browsers, to help protect your users from Spectre. 

Our security team considers this the most effective mitigation approach, and the bulk of the hard work for supporting out-of-process iframes is already in place in Content.  You can do this in Chrome 67+ by returning true from ContentBrowserClient::ShouldEnableStrictSiteIsolation().  We're happy to answer any functionality questions on site-isolation-dev@ if you're considering using it.

2) As discussed here and in https://crbug.com/856734, we're likely going to make Site Isolation the default mode in Content sometime around M70.

This change will ensure that our testing infrastructure covers the mode we ship in Chrome, and we think this should be the general default moving forward.  That said, many platforms will still disable it, including Chrome for Android, Chromecast, etc.

Note: We fully intend to preserve the ability of Content Embedders to turn off Site Isolation for the foreseeable future.  However, this means you will need to take action in your own browsers to disable it if desired, when the time comes.  We haven't made the change yet, but we'll post to this thread with specifics of how to disable it once it happens.

Please let us know if you have questions or concerns about this change, or about the implications of enabling Site Isolation in your own browsers if you choose to do so.  

Thanks!

Charlie Reis and the Site Isolation team

[Łukasz Anforowicz]

On Monday, July 16, 2018 at 1:31:54 PM UTC-7, Charlie Reis wrote:

Hi Content Embedders!

As you may have seen recently on chromium-dev or on the Google Security Blog, we've recently turned on Site Isolation in Chrome 67 for desktop platforms.  This is an important part of our Spectre mitigations, and it tries to minimize the amount of data worth stealing in renderer processes that might attempt Spectre attacks.  The main tradeoff is that it requires more renderer processes (e.g., for out-of-process iframes) and cross-process navigations, leading to about 10-13% total memory overhead in Chrome's measured workloads in practice.

I mention this here for two reasons:

1) You might consider testing and deploying Site Isolation (specifically, SitePerProcess) in your own Chromium-based browsers, to help protect your users from Spectre. 

Our security team considers this the most effective mitigation approach, and the bulk of the hard work for supporting out-of-process iframes is already in place in Content.  You can do this in Chrome 67+ by returning true from ContentBrowserClient::ShouldEnableStrictSiteIsolation().  We're happy to answer any functionality questions on site-isolation-dev@ if you're considering using it.

2) As discussed here and in https://crbug.com/856734, we're likely going to make Site Isolation the default mode in Content sometime around M70.

This change will ensure that our testing infrastructure covers the mode we ship in Chrome, and we think this should be the general default moving forward.  That said, many platforms will still disable it, including Chrome for Android, Chromecast, etc.

Note: We fully intend to preserve the ability of Content Embedders to turn off Site Isolation for the foreseeable future.  However, this means you will need to take action in your own browsers to disable it if desired, when the time comes.  We haven't made the change yet, but we'll post to this thread with specifics of how to disable it once it happens.

I just wanted to give a heads-up that the CL that makes Site Isolation the default mode (in //content, on desktop platforms) is almost ready to land - see https://chromium-review.googlesource.com/c/chromium/src/+/1153981.  Notice how this CL disables Site Isolation in some //content embedders (e.g. chromecast) by overriding ContentBrowserClient::ShouldEnableStrictSiteIsolation.

[Łukasz Anforowicz]

The CL above has landed now - Strict Site Isolation is now the default mode in the //content layer on desktop platforms.