Google Chrome has a set of features to speed up the page loading. Bug was discovered that allows attackers to bypass the browser’s Site Isolation feature. Chrome uses Same Origin Policy to prevent websites from accessing each other’s data inside the browser. Security bugs such as Spectre open pathways to bypassing these policies.
Site isolation Feature
Site Isolation is a line of defense that protects browsers against such threats. Site Isolation means documents from different websites are rendered independently rather than in a shared process. This makes it much harder for malicious websites to steal information from other websites. Even if a cross-domain website is embedded in another website through an iframe, Site Isolation will still load it in a separate process to protect its information.
Service worker bug
The exploit starts when a malicious website uses ‘navigation preload’, a feature that loads a URL in parallel to booting the service worker. In this case, the malicious code uses a URL loader with Cross-Origin Read Blocking (CORB) disabled. CORB is an algorithm that prevents cross-origin resource loads in web browsers before they reach the web page.
Once the CORB-disabled URL loader is ready, it is passed on to the service worker, where it loads the requested content and destroy itself. The URL loader is supposed to prevent redirects, but since the service worker has access to URL loader interface, it can modify its behaviour to follow the redirect and read the full response even if it’s from a cross-origin domain. Site Isolation feature will not block the code from accessing the off-bounds data. The issue was fixed in Chrome 96.