November 30, 2023

Mozilla is currently testing a major new security feature for its Firefox browser which will separate every website into its own process.

Site Isolation is designed to prevent Spectre-like side-channel attacks in the popular open source browser. Site Isolation, builds upon a new security architecture that extends current protection mechanisms of the browser by making it load each site in its own operating system process.

To fully protect your private information, a modern web browser not only needs to provide protections on the application layer but also needs to entirely separate the memory space of different sites

Shared processes

Currently upon launch Firefox starts a privileged parent process, which further spawns eight processes for web content, and a maximum of two additional semi privileged web content processes, along with four utility processes for web extensions, GPU operations, networking, and media decoding. This arrangement still makes it possible for a malicious site to be placed in the same process as another trusted site.

Since all websites inside a process share the same memory, the untrusted site will be able to read the contents of the shared memory. This gets particularly dangerous when you consider the fact that all online ads, and embedded pages are placed into the same process as the parent page.

Isolated silos

With Site Isolation, not only will all websites exist in their own process, each of the embedded elements that are not part of the same site will also be allocated their own processes.

For starters, using more processes to load websites will enable Firefox to efficiently use available resources by spreading work across different CPU cores. Siloed approach, tab crashes will not have any impact on websites loaded in different processes.

The Site Isolation feature is currently being tested in nightly and beta builds of the browser, and will make its way into the stable release when the developers consider it to be stable.

Leave a Reply

%d bloggers like this: