How to enable Strict site isolation mode in Google Chrome

Martin Brinkmann
Dec 8, 2017
Updated • May 30, 2018
Google Chrome
|
10

Strict site isolation is a new experimental feature of Google's Chrome web browser that ensures that processes are limited to pages from one site.

Chrome's multi-process architecture was introduced with the release of the browse. It improves security and stability of the browser at the expense of computer memory.

Security is improved as it becomes much harder for attackers to interact with content that is in other processes, and stability is improved as a crashing tab won't usually take the whole browser with it or other tabs.

Processes may still be shared in Chrome's default multi-process system. If you navigate to several different web pages in a single tab, these may be opened in a single process. The same is true for embedded web pages using iframes. Both mean that potentially unrelated sites share a single process.

Tip: You can configure Chrome to use one process per site which reduces the browser's memory usage.

Strict site isolation

Google introduced Strict site isolation mode in Chrome 63 which the company released the other day. The feature is not enabled by default, but available as an experimental flag.

Highly experimental security mode that ensures each renderer process contains pages from at most one site. In this mode, out-of-process iframes will be used whenever an iframe is cross-site. Mac, Windows, Linux, Chrome OS, Android

If enabled, Chrome will create new processes for the scenarios mentioned above. Basically, what it means is that Chrome will create new processes for any domain visited by the user.

This improves stability and security further, but it comes at the expense of additional memory requirements. Depending on how the browser is used, memory usage may go up by 20% or even more with Strict site isolation enabled as more processes will be spawned by Chrome.

How to enable Strict site isolation

chrome strict site isolation

The feature is available as an experimental flag currently. It is available for all desktop systems -- Windows, Mac and Linux -- as well as ChromeOS and Android.

  1. Load chrome://flags/#enable-site-per-process in Chrome's address bar to jump straight to it.
  2. Click on the "enable" button to change its state.
  3. Restart the Chrome browser.

You can undo the change at any time by repeating the steps, and clicking on the disable button this time.

You may start Chrome with the --site-per-process parameter for the same effect. Just add --site-per-process to Chrome's start to enable Strict Site Isolation in the browser.

The parameter enables the security and stability feature for all sites you visit in the web browser. You can use the startup parameter --isolate-origins to use it for specific sites only, e.g. --isolate-origins=https://www.facebook.com, https://google.com would enable the feature for the two referenced domains.

Users may disable Strict Site Isolation in Chrome in two ways currently:

  1. Load chrome://flags#enable-site-per-process and set the flag to disabled.
  2. Load chrome://flags#site-isolation-trial-opt-out and set the flag to Opt-out (not recommended).

Closing Words

Chrome is quite memory hungry already, but if you have enough RAM in your machines, you may want to enable the feature to improve stability and security further. You should not enable the feature if the machine you run Chrome on is low on RAM already, or if you don't want to or are allowed to run experimental features on it.

Summary
How to enable Strict site isolation mode in Google Chrome
Article Name
How to enable Strict site isolation mode in Google Chrome
Description
Strict site isolation is a new experimental feature of Google's Chrome web browser that ensures that processes are limited to pages from one site.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Sergey said on October 16, 2020 at 5:13 pm
    Reply

    You can use the startup parameter –isolate-origins to use it for specific sites only, e.g. –isolate-origins=https://www.facebook.com
    Is there a parameter that, on the contrary, turns off this function on a given site ???

  2. Srichon Boontharikwong said on April 5, 2019 at 12:02 am
    Reply

    chrome://flags/#enable-site-per-process

  3. John said on February 25, 2018 at 6:55 pm
    Reply

    Chrome having almost as much market share as Internet Explorer once had, means its a big target for malware. Not to mention that a lot of countries are very much skeptical of Google and its privacy terms. Gee, if we could only use Chromium more and skip the Google portion of the browser. I use Edge now having dumped Chrome because it has simply become too dominating for me. If Edge gives me grief I will switch to Firefox before Chrome. All browsers are doing some sort of sandboxing process to increase security. This has definitely resulted in higher ram and resource use. Hard to find a browser that does not use ram these days. Site isolation just adds to that overhead a lot, not for the systems short on RAM.

  4. kenneth younger said on January 9, 2018 at 5:53 pm
    Reply

    anyway to automate this without user interaction? Silent deployment?

  5. Paulinihiniohs said on December 8, 2017 at 5:36 pm
    Reply

    No, thanks, I’ll stick with Firefox. Chrome being the MOST used browser in the market means that 0day exploits are much more lucrative than those of competitors, so it’s not necessarily most secure.

    Also Google is a data mining company and Chrome is just a spyware to their servers. Also Rust and Servo rocks!

  6. Richard Allen said on December 8, 2017 at 11:07 am
    Reply

    Strict site isolation is not really all that new of an experimental feature, it’s been available for months in Chrome stable, along with top document isolation, framebusting requires same-origin, block scripts loaded via document.write and others.

    I’ve noticed in the past and currently, that some sites, not many but some, do not like ‘strict site isolation’ Or ‘top document isolation’. I’ve occasionally noticed the page load indicator spinning forever, I never looked in the dev tools to see what was going on I just stopped the page load from the address bar. Also with ‘strict site isolation’ you could have 4 websites/tabs open and each tab can have a separate process for let’s say facebook, instagram and other third party sites. Point is you could potentially have 4 sites with 4 process and then each site/tab has an additional process for facebook. So, 8 processes for those 4 tabs plus a gpu process, a browser process and a process for some extensions. How about if each website ends up with a separate process for facebook And a separate process for instagram And a separate process for adnexus or whatever? Can quickly get expensive as far as memory usage goes. I can see the use in a corporate environment that frequently deals with highly sensitive information but how useful is it really for the average home user, especially one using a content blocker or other security/privacy extensions?

    One option would be to use the command line switch ” –process-per-site” which would then force all of the facebook processes to use one process and all of the instagram processes to use one process and so forth. Just throwing that out there for info purposes.

    And then, another option is to use the flag for ‘top document isolation’ which kind of does the same thing but ALL of the third-party processes will share one process.

    As someone who primarily uses Firefox, I have to give google credit for making available some potentially useful security and privacy related options in the last year.

    1. Richard Allen said on December 8, 2017 at 11:36 am
      Reply

      “third-party processes will share one process” should instead have been “third-party iframes will share one process”
      I need more coffee!

  7. bugsy said on December 8, 2017 at 9:39 am
    Reply

    Chrome exists purely as a Google data mining tool, no thanks.

    1. John said on February 25, 2018 at 6:48 pm
      Reply

      Yep, but apparently a lot of people don’t really care what Google collects. I stop using Chrome a long time ago when I realized things were getting a bit to creepy for me about what Google collects and how long it keeps that data. It would be a great browser if Google could keep its hands off your data. Too much to ask coming from a company that benefits directly knowing as much about you as they can. Yes, absolutely Chrome is just a tool for Google to mine data about you. Should we be at all surprised? No.

  8. ams said on December 8, 2017 at 9:20 am
    Reply

    Both in chrome and in firefox, I usually want to prevent same-site (same-origin) pages opened in different tabs from being able to “talk to each other”. (Why? Because ebay, amazon, and other commerce sites will annoyingly reload/change pages which are idling in non-focused tabs.) According to an earlier ghacks article

    https://www.ghacks.net/2016/03/02/manage-service-workers-in-firefox-and-chrome/

    in firefox, the following preference seemed to accomplish that goal: dom.serviceWorkers.enabled = false

    but the earlier article, nor this one, indicates it is impossible accomplish this with Chrome via preferences.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.