Mozilla still working on Firefox’s site isolation security revamp

Mozilla’s Firefox browser doesn’t have site isolation security yet, but plans to enable it are in the works.

That’s according to an email seen by the Bleeping Computer news site, which ties its development to Project Fission, not to be confused with the separate Firefox security overhaul Project Fusion that will integrate the Tor browser to transform its current weak privacy mode.

Site isolation – stopping a malicious website from accessing data in another tab – already exists in a basic form through the longstanding concept of the Same Origin Policy.

Same Origin Policy stops one website from siphoning data from a site open in a separate tab, without which, say, logging into a banking website while running a second malicious website would become a huge risk.

This works well until an attacker discovers a security vulnerability that allows them to break this protection as has been the case with occasional Universal Cross-site Scripting (UXSS) vulnerabilities and Remote Code Execution (RCE).

But what seems to have thrown the cat among the sleeping pigeons is the revelation of the Meltdown and Spectre CPU vulnerabilities in early 2018.

The fact that Google’s own Project Zero researchers jointly authored those discoveries might explain why it’s currently ahead of Firefox in having enabled site isolation by default in Chrome 67, released in May.

The downside of site isolation is that it increases memory demands, which is why Fission encompasses redesigning this part of the browser’s inner workings as well as boosting its security.

As a Mozilla mailing on the topic noted:

The problem is thus: In order for site isolation to work, we need to be able to run *at least* 100 content processes in an average Firefox session.

To stop the memory overhead becoming a burden, each process had to be pared to around 7MB from today’s best estimate of between 17MB and 21MB on Windows.

Since January, Mozilla’s developers have been putting in place various mitigations to battle the Spectre and Meltdown cache-timing weakness. They would no longer be needed, which is a small comfort.

Nevertheless, from the latest information, it appears that Firefox is still some months away from integrating site isolation in the shipping version of Firefox.

All this after Firefox Quantum, which appeared in November 2017, was supposed to bury the browser’s much commented upon memory consumption woes once and for all.

It hasn’t worked out that way. Browsers have been battling memory demands as long as anyone can remember and every time they seem to be getting on top of it, another problem pops up to set them back.

Site isolation will be well worth it in the end. It’s just that that longed-for ‘end’ might be some way off yet.