Site Isolation: Confining Untrustworthy Code in the Web Browser

In the late 2000s, web browsers moved from single-process to multi-process architectures, introducing a sandbox boundary between untrustworthy code from the web and local resources. While effective at the time, the security landscape has changed and a stronger architecture is now needed. In this talk, we will cover our deployment of the Site Isolation architecture to Chrome users. This pushes the browser security model forward, mitigating entire classes of attacks: from same-process Spectre exploits to UXSS to arbitrary code execution in the renderer sandbox. We will discuss how the browser's architecture has changed, what security properties it offers, what limitations still exist, and how we preserved compatibility and performance to scale it to all Chrome desktop users. Finally, we will give examples of new types of Site Isolation bypass bugs that fall into Chrome's Vulnerability Rewards Program, for those motivated to help us make this defense stronger.