Securing Browsers Through Isolation Versus Mitigation

Copied over from the Chrome Stable Channel thread:

OOPIF Status - Isolate Extensions has launched on M56 Stable! (pushed to 100% of users now)
Source: https://groups.google.com/a/chromium.org/forum/#!topic/chromium-dev/FFqNVkO9MBQ

Upcoming --site-per-process will be the real "meat and potatoes" for Chromium's Site Isolation.

 

@mood Good stuff, thank you for sharing your findings so far. I always have great trust in your breakdowns and details. Keep in mind, though, that --site-per-process in particular has a large list of bugs still so just be aware of that. The extension isolation is stable now though which is great.

As this Site Isolation in Chromium comes to fruition, with various stages of implementation, this is going to secure Chromium based browsers quite significantly. Some of the security researcher heavyweights are speaking quite highly of Site Isolation. So it should be interesting to see as it all comes together.

 

Thank you @WildByDesign

 

@Mister X You're welcome

 

I'm trying to make this to work: --isolate-extensions.

But how to know whether it was enabled or not?

 

As long as you can see "--isolate-extensions" in the command-line of your chrome-process in the process-manager, you know that the option is "active".

 

As usual you're right. Thank you.

 

@Mister X You can also go to chrome://version to see the "complete" command-line, with all switches and flags.
-------
There is a command-line switch --site-per-process for enabling the Site Isolation, but there is also a flag for enabling it: chrome://flags/#enable-site-per-process

I enabled the flag and removed the command-line switch, so i have room for more command-line switches
After launching Chrome and visiting chrome://version i can see --site-per-process in the command-line.

 

Thank you again.

Spoiler

 

Gonna play with this later on, tonight maybe tomorrow

 

Yes good move. So here I see there's need for cmd lines to be incorporated into Chrome itself as flags for better convenience.

 

Before enabling --site-per-process:


After enabling --site-per-process:




Now we'll see whether an issue might show up, as @WildByDesign stated. This flag is still highly experimental.

 

Except the higher resource-usage i didn't notice any negative effect with enabling of "site-per-process"

 

Speaking of higher resource usage, did you or someone try –disable-background-timer-throttling cmd line?

 

It can also be set with a flag:
chrome://flags/#expensive-background-timer-throttling
The triggering is enabled by default with v57. I haven't disabled it, so i have the default value (throttling enabled)

 

Correct. It's enabled by default in v57. Thanks.

 

Then the command line flag --site-per-process can be replaced by the internal flag Strict site Isolation, I guess.

 

Yes, the command line flag can be removed.

There are now two ways to enable Strict site isolation
1) a flag can be enabled: chrome://flags/#enable-site-per-process
2) or it can be enabled with a group policy setting ("Enable Site Isolation for every site") (Group Policy Templates for Chrome)

 

Thanks @mood

 

Site Isolation is a fantastic addition to Chrome sandboxing on Windows, without a doubt. Particularly with regard to data exfiltration and such. Each site in each process will have related data protected via traditional Chrome sandboxing but also now via isolation. This is a huge step up from Microsoft's Edge browser.

Apparently this will also eventually develop into better code execution prevention as well with the same isolation architecture methods as they develop this further. So that is something to look forward to in the future as well.

Here is something special:

You can specifically isolate banking web sites to their own processes to better protect that data!
(from https://support.google.com/chrome/a/answer/7581529)

Command line example (domains separated with comma ( , ):

Code:

--isolate-origins=https://easyweb.td.com,https://www.scotiaonline.scotiabank.com

As with any Chrome/Chromium command lines, you can add that to your browser shortcut or if you are using chrlauncher (https://www.henrypp.org/product/chrlauncher) you can edit chrlauncher.ini file in the Command line for Chromium (string) section to add any command lines you like.

Some folks and some news sites may complain about an increase in memory usage (RAM) with the additional chrome.exe processes because some people like to worry about RAM usage. But quite honestly, I would much rather have a fast, efficient and snappy browser that is wickedly stable, reliable and also enjoy the additional sandboxing, mitigation and data isolation capabilities. As you may know, I prefer to use a browser that is leading the pack with developments as opposed to other browsers which are always playing catch up. Boom!

 

Thanks @WildByDesign

 

Got --isolate-extensions cmd line enabled in my shortcuts.

Wonder whether it stills needed now that Chrome 63 fully supports Site Isolation flag.
Also I wonder whether Extension Isolation got anything to do with Site Isolation or it is related somehow. Independent perhaps?

Did some 15 min. digging and reading but found nothing.

 

In the list of Command Line Switches it is not mentioned, and it seems to be enabled by default:
Commit (Aug 2016)

 

Thanks @mood

Then I suppose I can remove it from my shortcuts since it not functions anymore.

Question, what's CL in this context?

 

In the "log-file" of Chrome releases this is often mentioned: "This CL ensures ..." / "This CL adds ..." and I can only speculate but maybe it is something "commit"-related

With my guess i was close, after some searching i have found something: