Chrome 77 for Android has received the ‘Site Isolation’ feature that Google initially rolled out to desktop users through Chrome 67 back in July last year. The new feature helps defend users majorly against attacks that could leverage the Spectre vulnerability to gain sensitive data access from a process. Initially, the Site Isolation feature on Android devices is enabled only for “high-value sites” where users log in using a password.
“We started isolating all sites for desktop users back in Chrome 67, and now we’re excited to enable it on Android for sites that users log into in Chrome 77,” Google writes in a security-focussed blog post.
The Site Isolation feature uses resources in the background to enhance security on Chrome 77 for Android that was released last month.
In addition to the arrival of the Site Isolation feature for Android devices, Google has upgraded its presence on desktops to help protect against “significantly stronger attacks” through Chrome 77.
The post on the Chromium blog highlights that current implementation of the Site Isolation feature protects sensitive data from the following compromised renderer processes:
- Authentication: Cookies and stored passwords can only be accessed by processes locked to the corresponding site.
- Network data: Site Isolation uses Cross-Origin Read Blocking to filter sensitive resource types (e.g., HTML, XML, JSON, PDF) from a process, even if that process tries to lie to Chrome’s network stack about its origin.
- Resources labelled with a Cross-Origin-Resource-Policy header are also protected.
- Stored data and permissions: Renderer processes can only access stored data (e.g., localStorage) or permissions (e.g., microphone) based on the process’s site lock.
- Cross-origin messaging: Chrome’s browser process can verify the source origin of postMessage and BroadcastChannel messages, preventing the renderer process from lying about who sent the message.