LLMpediaThe first transparent, open encyclopedia generated by LLMs

Site Isolation

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Mozilla Firefox Hop 4
Expansion Funnel Raw 42 → Dedup 5 → NER 3 → Enqueued 2
1. Extracted42
2. After dedup5 (None)
3. After NER3 (None)
Rejected: 2 (not NE: 2)
4. Enqueued2 (None)
Similarity rejected: 1
Site Isolation
NameSite Isolation
TypeSecurity architecture
Introduced2018
Implemented byChromium Project, Google, Mozilla Foundation (experimental)
ScopeWeb browsers, Chromium (web browser), Google Chrome, Microsoft Edge, Brave, Opera
LicenseOpen source (BSD-style for Chromium components)

Site Isolation

Site Isolation is a browser security architecture that separates web content from different origins into distinct operating system processes to reduce cross-origin attacks. It emerged as a response to complex side-channel vulnerabilities and aggressive web integration, combining process-level sandboxing with same-origin policy principles. Major browser vendors implemented Site Isolation or analogous techniques to mitigate attacks such as speculative execution exploits and renderer compromise.

Overview

Site Isolation partitions web content by associating renderer processes with web origins or defined site boundaries, creating a mapping between origins and operating system processes. The approach complements the Same-origin policy and leverages existing sandboxing efforts like Process isolation (computing) and Address Space Layout Randomization. By assigning each origin or site to a separate process, isolating third-party content such as advertisements or embedded widgets becomes feasible, which reduces the blast radius of renderer compromises exploited in incidents such as the Spectre disclosures and other microarchitectural attack reports. Implementations integrate with browser architectures developed in projects like the Chromium Project and interact with operating system features from vendors such as Microsoft and Apple Inc..

Design and Implementation

Design choices for Site Isolation include per-origin versus per-site process models, process reuse policies, and navigation strategies for cross-origin frames and iframes. Chromium's implementation favored a per-site-instance approach tied to site boundaries and site-per-process flags, interacting with components such as the V8 engine, Blink layout engine, and the Network Security Services stack. The implementation requires coordination among multiprocess subsystems: the browser process, renderer processes, GPU process, and utility processes. Message passing relies on IPC frameworks similar to those used by the Chrome OS architecture and mirrors techniques from projects like Electron for native integration. Integration with sandboxing primitives uses kernel features present in Linux kernel, Windows NT, and XNU to confine compromised renderers. Additional subsystems for site isolation include policy modules that reference standards from the World Wide Web Consortium and processes for handling cross-origin resource sharing interactions defined in specifications like Cross-Origin Resource Sharing.

Security Goals and Threat Model

The primary goal is to limit the impact of compromised rendering or parsing code by ensuring that a compromised process cannot access data belonging to other origins. Site Isolation targets threat actors exploiting remote code execution in renderer components, supply-chain compromises affecting components in projects like WebKit or V8, and side-channel adversaries using speculative execution attacks such as those reported by teams from Google Project Zero and academic groups at University of California, Berkeley, Princeton University, and University of Texas at Austin. The threat model assumes an attacker can execute code or coerce the renderer into leaking memory, and counters include isolating credentials, cookies, and DOM access per origin. Site Isolation does not aim to replace defenses such as Content Security Policy or Subresource Integrity, but to act as an orthogonal mitigation against process-level exfiltration.

Performance and Resource Considerations

Process-per-site models increase the number of renderer processes, impacting memory consumption, process scheduling, and inter-process communication overhead. Memory overhead interacts with platform memory management policies from Linux kernel and Windows NT memory managers, and can affect energy profiles on mobile platforms from Apple Inc. and Google's Android. Browser vendors mitigate costs via process reuse heuristics, process affinity tuning inspired by work in Operating system design and task scheduling literature, and tab discarding strategies used in projects like Discardable memory (Chrome) and tab lifecycle management in Mozilla Firefox. Performance testing often references benchmarks such as those developed by Web Performance Working Group contributors and industry efforts at Akamai Technologies and Cloudflare to quantify trade-offs between isolation and throughput.

History and Adoption

Site Isolation accelerated in the wake of the 2018 disclosure of speculative execution vulnerabilities like Spectre and coordinated responses from research teams including Google Project Zero and university labs. Google rolled out a Site Isolation feature in Google Chrome as a mitigation step, later enabling strict site isolation by default for many users. Other vendors adopted similar measures: experimental modes appeared in Mozilla Firefox and production configurations in Microsoft Edge after its move to Chromium-based architecture. Adoption was driven by incidents that exposed cross-origin data leakage risks and by contributions from open-source communities such as the Chromium Project and standards discussions at the World Wide Web Consortium.

Limitations and Criticisms

Critics point to increased memory usage, complexity in browser architecture, and incomplete protection against microarchitectural channels that operate across process boundaries. Some privacy advocates note that site-level partitioning can enable fingerprinting vectors if process allocation patterns leak information, a concern discussed in work by researchers at Stanford University and Princeton University. Compatibility issues arise with web applications that rely on cross-origin frames, postMessage interactions, or legacy plugins associated with projects like Adobe Systems technologies. Operationally, maintaining performance parity with non-isolated browsers requires continual engineering investments from organizations like Google and Mozilla Foundation, and the approach must coexist with standards such as Cross-Origin Resource Sharing and policies enacted by bodies like the Internet Engineering Task Force.

Category:Web security