Manage site isolation

Supported on Chrome 63 and later

Google’s site isolation feature improves security for Chrome browser users. When you enable site isolation, content for each open website in the Chrome browser is always rendered in a dedicated process, isolated from other sites. Adding site isolation creates an additional security boundary between websites.

Before you begin

  • Configuring site isolation for all websites gives you the strongest security. However, it will increase memory usage by approximately 10% on computers that use Chrome.
  • If you choose to deploy the site isolation feature, Google recommends you use Chrome policy templates and not the command-line flag.
  • For Microsoft® Windows® deployments, you need to download and install the latest administrative templates on your domain controller.
  • Any changes to your site isolation policy won't take effect until Chrome is restarted.

Configure site isolation on Windows

Turn on site isolation for all websites

When you turn on site isolation for all websites, every site runs in a dedicated rendering process and all sites are isolated from each other.

To test site isolation for all websites locally before you deploy it to your organization, use the command line
flag
:
--site-per-process

To turn on site isolation for all websites for your entire organization, enable the SitePerProcess policy and deploy the updated policy settings to your Chrome devices.

Turn on site isolation for specific websites

You can create a specific list of websites that you want to isolate. Each entry on the list will run in a dedicated rendering process. You can include sites that users sign in to as well as other sites that contain sensitive information, such as productivity sites or intranet sites.

To test your configuration locally before you deploy it to your organization, use the command line flag to specify a list of websites that you want to isolate. For example:

--isolate-origins=https://example.com,https://subdomain.example.org

To turn on site isolation for a specific list of websites for your entire organization, configure the IsolateOrigins policy and deploy the updated policy settings to your Chrome devices.

Verify site isolation

If you would like to test that Site Isolation has been successfully turned on, you can follow the steps below:

  1. Navigate to a website that has cross-site subframes.  For example: 
  2. Open Chrome's Task Manager: Chrome Menu -> More tools -> Task manager (Shift+Esc).
  3. Verify that the main page and the subframe are listed in separate rows associated with different processes.  For example:
    • Tabs: creis.github.io/tests/cross-site-iframe.html - Process ID = 1234
    • Subframe: https://chromium.org - Process ID = 5678

If you see the subframe process in Chrome's Task Manager, then Site Isolation is correctly enabled.  The steps work when using the approach above under Turn on site isolation for all websites (i.e., --site-per-process).  They also work when using the approach above under Turn on site isolation for specific websites (i.e., --isolate-origins), as long as the list of origins provided includes either http://csreis.github.io or https://chromium.org.

Turn off site isolation

If you disable either site isolation policy, Chrome will use its pre-site isolation process model to render websites. Different sites may share processes with each other and cross-site iframes may be rendered in the same process as their parent page.

Note: Disabling either policy will also disable field trials of the SitePerProcess and IsolateOrigins policies.

Turn on site isolation from the Admin Console

Use the Google Admin console to configure site isolation for Chrome OS users and anyone who uses cloud policies on Chrome.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Device management.

    To see Device management, you might have to click More controls at the bottom.

  3. On the left, click Chrome management.
  4. Click User settings.
  5. (Optional) To apply the settings to an organization:
    1. On the left, select the organization.
    2. Make sure Managed Chrome Browser is turned on for this organization.
      Learn more about the organizational structure.
  6. Go to the Site Isolation section.
  7. If you want to turn on site isolation for all websites:
    1. Select Turn on site isolation for all websites (SitePerProcess).
    2. (Optional) Enter additional origins, separated by commas, that you want to isolate from their respective websites. For example, enter https://login.example.com to keep it isolated from the rest of https://example.com.
  8. If you want to isolate specific websites:
    1. Select Turn on site isolation for specific websites, set below (IsolateOrigins).
    2. Enter a list of websites and origins, separated by commas, that you want to isolate.
  9. At the bottom, click Save.
    Settings typically take effect in minutes, but can take up to an hour to apply for everyone.

Known issues

  • Some minor issues may occur with web page appearance or input events.
  • Chrome's Developer Tools (DevTools) may not fully support cross-site iframes in the performance panel or mobile device emulation.

Related topics

Was this article helpful?
How can we improve it?