[PSA] Site Isolation team planning a Canary-only Strict Origin Isolation trial May 23-30.
W. James MacLean
tl;dr Starting May 23rd, for 1 week on desktop Canary channel only, we will be running a 50% A/B trial with the --enable-features=StrictOriginIsolation flag turned on. The trial will gauge the expected resource overhead (e.g. process count & memory) and performance (e.g. input latency) of isolating by origin rather than site (eTLD+1). Possible issues: users in the active trial group may find that sites that rely on modifying document.domain for cross-origin scripting may not function as expected, and resource usage may increase.
Details
To better understand the implications of providing finer-grained isolation, we will be running a trial where the isolation is based on unique origins, and not “site” (eTLD+1). This means that URLs like https://a.example.com and https://b.example.com will end up in different processes.
This will be of short duration, ~1 week for the active phase, and only on desktop Canary channel. We have no plans to extend this trial to other channels.
Trial contacts: wjma...@chromium.org, cr...@chromium.org, site-isol...@chromium.org
There are some cases where sites may not work as expected, namely those that rely on cross-origin scripting after modifying document.domain for their correct operation. We hope that the number of sites disrupted will be low, and the limited duration and scope should keep the impact low. The collected data will help inform important decisions about Chrome's process model and opt-in approaches for isolating particular origins.
If you’d like to experiment with the trial feature in advance or independently, you can enable it in chrome://flags/#strict-origin-isolation, or specify --enable-features=StrictOriginIsolation on the command line.
Further details can be found at https://www.chromium.org/Home/chromium-security/strict-origin-isolation-trial, including (i) how to determine if issues are specific to the trial, and (ii) if so, how to report them or opt-out of the trial.
W. James MacLean
Daniel Bratell
--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/CADAYvof6XP%2B8gJBJmZ0S7Z7ZUqFkTae42LAQU0q4Hdx8UpjCdg%40mail.gmail.com.
W. James MacLean
https://docs.google.com/document/d/1O9Nja3YAWXgYAu0g73EP-Ib0gvWCK0MoWi7W7nGbvJo/edit?usp=sharing
Similarly, are there any particular widely known frontend frameworks that you know rely on patterns that origin-per-process will break?Alex
--
To unsubscribe from this group and stop receiving emails from it, send an email to site-isolation-...@chromium.org.
----All that is necessary for evil to succeed is for good people to do nothing.
To unsubscribe from this group and stop receiving emails from it, send an email to site-isolation-...@chromium.org.
Mike West
Daniel,At present we have no good sense of how many sites. Less than 4% of sites modify document.domain, and not all of that will entail usage that we'll break. We are in touch with the few sites that we're aware of that might be affected, but given the short timeline and limited scoped of the trial, we aren't planning on implementing any sort of exclusion mechanism.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/CADAYvoduv8i9hZ1SWjLHsC79anPWZgi2btraTm_ePnHskQALJg%40mail.gmail.com.