How to Enable Strict Site Isolation in Chrome

Jan 6, 2018 - 9 Comments

Google Chrome

One way to increase security in the Google Chrome web browser is to enable strict site isolation, which causes each page renderer process to contain pages from only a single site at a time, effectively placing them in a per-site sandbox.

Theoretically this could help to mitigate against certain security risks, like those posed by Meltdown and Spectre threats, but it should not be considered a replacement for simply keeping the Chrome web browser up to date with latest versions which often include various security patches.

Strict site isolation is considered a “highly experimental” security mode, and while it’s easy to turn on in Google Chrome it is not without some potential drawbacks, mostly related to resource usage.

How to Enable Site Isolation in Google Chrome

You can enable Strict Site Isolation in Google Chrome for Mac OS, Windows, Linux, Chrome OS, and Android. Here’s how:

  1. Open the Google Chrome browser if you have not done so already
  2. In the URL address bar, enter the following:
  3. chrome://flags/#enable-site-per-process

  4. Find “Strict site isolation” and click on the “Enable” button to the right
  5. Enable Strict Site Isolation in Chrome

  6. Click the “Relaunch Now” button in the bottom corner to quit and re-open Chrome for the change to take effect
  7. Relaunch Chrome

Once Chrome relaunches the Site Isolation feature will be enabled, and each unique website should be placed into its own Chrome process sandbox.

The explanation of Strict Site Isolation offered in the Chrome settings is as follows:
“Highly experimental security mode that ensures each renderer process contains pages from at most one site. In this mode, out of process frames will be used whenever an iframe is cross site”

However, a much more detailed explanation of Site Isolation is outlined on the Chromium site as follows:

Site Isolation is an experimental security feature in Chrome that offers additional protection against some types of security bugs.  It makes it harder for untrusted websites to access or steal information from your accounts on other websites.

Websites typically cannot access each other’s data inside the browser, thanks to code that enforces the Same Origin Policy.  Occasionally, security bugs are found in this code and malicious websites may try to bypass these rules to attack other websites.  The Chrome team aims to fix such bugs as quickly as possible.

Site Isolation offers a second line of defense to make such attacks less likely to succeed.  It ensures that pages from different websites are always put into different processes, each running in a sandbox that limits what the process is allowed to do.  It also blocks the process from receiving certain types of sensitive documents from other sites.  As a result, a malicious website will find it more difficult to steal data from other sites, even if it can break some of the rules in its own process.

What’s the drawback with enabling Site Isolation in Chrome?

Perhaps the most notable drawback is that enabling this feature can lead to increased memory and resource usage by Chrome, particularly if you use and maintain a lot of tabs and windows opened concurrently.

Because it’s experimental, there could be some other issues with the feature, but in testing with several dozen unique tabs open, the most notable difference is simply an increase in memory usage of various Chrome Helper tasks.

Chrome acknowledges that certain developer tools won’t function as expected as well, but that should impact fewer casual users.

If interested, you can read more about Site Isolation in Chrome by reviewing this Chromium page on the topic, and you can find many other Chrome tips here if you’re interested in some other interesting features and capabilities of the cross-platform web browser.

Whether you enable Site Isolation in Chrome or not, for optimal security don’t forget to regularly update your web browser software when updates become available.

.

Related articles:

Posted by: Paul Horowitz in Security, Tips & Tricks

9 Comments

» Comments RSS Feed

  1. Howie Isaacks says:

    I prefer to just keep using Safari. It has always been the best browser for me. Apple seems to take security for Mac users a lot more seriously than Google does since they don’t profit from selling my information and browsing habits.

    • no way says:

      Howie, I suggest give Firefox a try. While Safari is a decent browser, Firefox is far better browser, with much greater security yet the same ease of use as Safari. You can easily import your Safari bookmarks, and like Safari, with Firefox Sync all your iDevices stay linked up.

      https://www.mozilla.org/en-US/firefox/new/

  2. Slow Browser says:

    Well I enabled Chrome Site Isolation and now Chrome is so slow it is unusable. I guess that is one way to protect yourself, make your web browser unusable so you can’t visit any sites that may put you at risk.

    With Site Isolation disabled the Chrome process pegs my CPU at 100% of all cores constantly. I think I will switch to Firefox if it is safe, since Google is taking a long time to release a patch and so is Apple.

    • Paul says:

      With Site Isolation enabled, Chrome will use more resources. Your best browsing experience will be to open fewer tabs and windows concurrently while this gets sorted out. Sometimes quitting and relaunching can help too. Then, once the new version comes out from Google with security patches, you can disable the Site Isolation feature if you wish.

  3. no way says:

    I use the latest Firefox, and have for years. I always use private browsing, do not allow tracking, do not accept 3rd party cookies, and have had great success keeping my data private.

  4. no way says:

    Best way to stay safe and keep your info off the net is NOT USE CHROME or ANYTHING GOOGLE!!!!

    Google is the biggest seller of info online, everything Google is money making spyware for them.

    • neutronJK says:

      This is nonsense. Google doesn’t distribute spyware. It has no need to. Google makes its money aggregating your search results and selling the info to advertisers. YOU go to THEIR site and put in search terms, that’s how they get information on you. The only other Google software that collects info on is Google Maps and you can easily disable that data collection.

  5. Lindy says:

    I have found that every single app or add-on that I have tried to prevent tracking, ads, …whatever…after a while the sites figure out what is going on and start restricting access to their pages until you turn off your protections. It’s cat and mouse and the damn trackers and ads are winning…. they’ll catch up to isolation too ….

  6. pssst3 says:

    Tried it yesterday.
    It screwed up Cloud Print.
    It showed my 3 printers as offlline for more than a month. Spooling print jobs into the queue took 4-5X as long, at which time the [printers, still shown as offline, printed.

    This could be coinsidental as the V63 OS update, dated 12/16/2017 was received on 1/2018 (I power off my Chromebook each night).

    Since I can’t tell if the update included a fix for the Intel bugs, but I’m pretty well protected by my firewall and VPN, I’m going to reset the flag to default.

Leave a Reply

 

Shop on Amazon.com and help support OSXDaily!

Subscribe to OSXDaily

Subscribe to RSS Subscribe to Twitter Feed Follow on Facebook Subscribe to eMail Updates

Tips & Tricks

News

iPhone / iPad

Mac

Troubleshooting

Shop on Amazon to help support this site