Firefox to get a 'site isolation' feature, similar to Chrome
After a year of secret preparations, Mozilla has publicly announced plans today to implement a "site isolation" feature, which works by splitting Firefox code in isolated OS processes, on a per-domain (site) basis.
Security
The concept behind this feature isn't new, as it's already present in Chrome, since May 2018, when Google began to slowly roll it out to all customers, reaching a 99 percent userbase coverage by July of the same year.
Also: Online security 101: Tips for protecting your privacy
Chrome's Site Isolation feature was designed as a security mechanism for the Chrome browser years before its release, but it's rollout coincided with the public disclosure of the Meltdown and Spectre CPU flaws, which the Site Isolation fully mitigated, even if it was never its primary purpose.
Mozilla, which also delivered Meltdown and Spectre patches in the form of reducing the accuracy of various JavaScript functions inside Firefox, saw Google's approach to the CPU flaws as superior, as it also helped prevent future similar exploits and many more other security issues.
In a newsletter today, Mozilla developer Nika Layzell, said the organization started working on a similar site isolation mechanism last year --in a project codenamed internally as Project Fission.
"Over the last year, we have been working to lay the groundwork for Fission, designing new infrastructure," Layzell said. "In the coming weeks and months, we'll need help from all Firefox teams to adapt our code to a post-Fission browser architecture."
The post-Fission browser architecture Layzell is referring to is similar to how Chrome works right now. Mozilla devs, too, plan to isolate each website the user is accessing into a separate process.
Currently, Firefox comes with one process for the browser's user interface, and a few (two to ten) processes for the Firefox code that renders the websites.
With Project Fission, these latter processes will change, and a separate one will be created for each website a user is accessing.
This separation will be so fine-grained that just like in Chrome, if there's an iframe on the page, that iframe will receive its own process as well, helping protect users from threat actors that hide malicious code inside iframes (HTML elements that load other websites inside the current website).
Project Fission is no small task, and Layzell, which serves as the Project Fission Tech Lead, says it will take years and a monumental amount of work from all Firefox development teams to adapt the browser's core for a truly multi-process architecture.
There is no estimated time of arrival (ETA) for Project Fission, but Layzell hopes that Firefox devs will complete a first development phase by the end of this month.
Must read
- 5 ways to enforce company security (TechRepublic)
- Data breaches can sucker-punch you. Prepare to fight back (CNET)
"Our first milestone, 'Milestone 1' (clever, I know), is currently targeted for the end of February," he said. "In Milestone 1, we plan to have the groundwork for out-of-process iframes, which encompasses some major work."
Layzell will be keeping Firefox users up to date with work on Project Fission in a newsletter he'll be publishing on his GitHub site.
All the Chromium-based browsers
More browser coverage:
- Safari engineers look at different approach to fighting intrusive ads
- Google Chrome to get warnings for 'lookalike URLs'
- Firefox will soon warn users of software that performs MitM attacks
- Google Chrome 72 removes HPKP, deprecates TLS 1.0 and TLS 1.1
- Google releases Chrome extension to check for leaked usernames and passwords
- Firefox to block auto-playing audio starting March 2019
- How to use Vivaldi Tab Sessions TechRepublic
- Brave's privacy-focused ads to spread beyond startup's own browser CNET