Mozilla Firefox now plans to roll out the much-awaited site isolation feature for user testing. Users can presently experience this feature with Nightly builds.
Firefox Site Isolation Feature
Mozilla has finally rolled out the Site Isolation feature in Firefox Nightly builds for testing. This feature plays a key role in protecting users from cross-site data leaks.
Mozilla first started to work on this feature following its success with Google Chrome that deployed it back in 2018. Google introduced this feature as a workaround for Spectre vulnerability affecting CPUs.
Then, in 2019, Mozilla announced its decision to develop a similar feature for Firefox under Project Fission. Describing ‘Site Isolation,’ Mozilla stated,
Site Isolation is a security feature that offers additional protection in case of large classes of security bugs. Site Isolation safely sandboxes web pages and web frames, isolating them from each other, further strengthening Firefox security.
In simple words, this feature prevents malicious websites to exploit any unpatched bugs in the browser that could allow data leak. With Site Isolation, the browser runs every website as a separate process. (Otherwise, all websites opened in a browser would run as a single process.)
Hence, due to separate processes, the browser prevents cross-site interaction that an adversary could exploit to access other sites’ data.
What Next?
While site isolation will enhance browser security, it presently has one major problem – excessive memory use. Due to separate processes, Firefox will likely consume more memory. Whereas, some other bugs also currently exist with the feature. Yet, the developers are working to resolve all these issues before the final release.
For now, users can test this feature in Firefox Nightly via the following steps.
1. In about:config, set the “fission.autostart” and “gfx.webrender.all” prefs to “true”. DO NOT edit any other “fission.*” or “gfx.webrender.*” prefs.
2. Restart Nightly.
Once enabled, the browser will show a “[F]” along with the process ID when a user hovers the mouse on a tab. The appearance of this sign hints at the site isolation feature running actively. Whereas, its non-appearance means site isolation is disabled.