Protect your data with site isolation

Chrome version 63 and later

Applies to managed Chrome Browsers and Chrome devices.

As a Chrome administrator, you can protect Chrome Browser users who visit untrusted sites by turning on site isolation. 

Site isolation separates pages from different websites. When site isolation is turned on, it's harder for malicious sites to bypass security measures that exist to prevent data theft. Learn more about site isolation.

You can turn on site isolation for all sites that users visit or for specific sites.

Step 1: Review policies

Policy Description and settings
SitePerProcess

When enabled—Turns on site isolation for all websites for your entire organization. All sites that users visit will run in a dedicated rendering process, isolated from each other.

When disabled—The browser will use any dedicated processes for rendering sites.

Unset—Users can choose whether to turn on site isolation.

Note: Configuring site isolation for all websites gives you the strongest security, but it also increases memory usage by approximately 10% on computers that use Chrome Browser.

IsolateOrigins

When enabled—Turns on site isolation only for specific websites that users visit. Sites you specify run in a dedicated rendering process. You can include sites that users sign in to as well as other sites that contain sensitive information, such as productivity sites or intranet sites.

When disabled—The browser will not use any dedicated process for rendering sites.

Unset—Users can choose whether to turn on site isolation.

Step 2: Turn on site isolation

Click below for steps, based on how you want to manage these policies.

Admin console

Applies when users sign in to a managed Google Account on Chrome Browser or a Chrome device.

These steps assume you're familiar with making Chrome settings in your Admin console.

  1. Follow standard steps to make Chrome User settings:
    1. In your Admin console, go to Devicesand thenChrome managementand thenUser settings.
    2. Select the organization containing the users you want to allow apps for.

    Important: Make sure Managed Chrome Browser is turned on for the organization.

    For complete details, see Set a Chrome policy for multiple apps.

  2. Go to the Site Isolation section.
  3. To turn on site isolation for all websites:
    1. Under Site Isolation policy, select Turn on site isolation for all websites (SitePerProcess).
    2. (Optional) Enter additional origins, separated by commas, that you want to isolate from their respective websites. For example, enter https://login.example.com to keep it isolated from the rest of https://example.com.
  4. To turn on site isolation for specific websites:
    1. Under Site Isolation policy, select Turn on site isolation for specific websites (IsolateOrigins).
    2. Enter a list of websites and origins, separated by commas, that you want to isolate.
  5. At the bottom, Click Save.
Windows
Applies to Windows users who sign in to a managed account on Chrome Browser.

Using Group Policy

In Group Policy Editor, go to Computer or User Configuration and then Policies and then Administrative Templates and then Google and then Google Chrome for both policies below. 

Turn on site isolation for all websites

Leaving this policy Not Configured uses the Unset behavior described above.

  1. Locate and enable Enable Site Isolation for every website.
    Tip: If you don’t see this policy, download the latest policy template.

  2. Test site isolation for all websites locally using the command line flag: 
    - - site-per-process

  3. Deploy the update to your users.

Turn on site isolation for specific websites

     Leaving this policy Not Configured uses the Unset behavior described above.

  1. Locate and enable Enable Site Isolation for specified origins.

    Tip: If you don’t see this policy, download the latest policy template.

  2. Enter URLs for isolation in a comma-separated list.
    Example: https://example.com/,https://othersite.org/

  3. Test site isolation for these sites locally using the command line flag: 
    - - isolate-origins=https://example.com, https://subdomain.example.org
  4. Deploy the update to your users.
Mac
Applies to Mac users who sign in to a managed account on Chrome Browser.

In your Chrome configuration profile, add or update the following keys. Then, deploy the change to your users.

<dict>
<key>SitePerProcess</key>
  <true/>
</dict>
<dict>
<key>IsolateOrigins</key>
  <string>”https://www.site1.com,https://www.site2.net”</string>
</dict>

 

Linux
Applies to Linux users who sign in to a managed account on Chrome Browser.

Using your preferred JSON file editor:

  1. Go to your etc/opt/chrome/policies/managed folder.
  2. Create or update a JSON file and enter URLs as needed:
    • SitePerProcess—Set to true to enable the policy.
    • IsolateOrigins—Add the URLs that you want to isolate. 
  3. Test site isolation for these sites locally using the command line flag: 
    - - isolate-origins=https://example.com, https://subdomain.example.org
  4. Deploy the update to your users.

This example shows how to enable the SitePerProcess policy:

{
"SitePerProcess": "true"
}


This example shows how to isolate site1.com and site2.net:  
{
“IsolateOrigins”:”https://site1.com/,https://site2.net/”
}

Step 3: Verify site isolation

To verify that you successfully isolated sites:

  1. Navigate to a website that has cross-site subframes:  
    1. Go to http://csreis.github.io/tests/cross-site-iframe.html.
    2. Click Go cross-site (complex page).
    3. The main page should be on the http://csreis.github.io site. And, the subframe will be on the https://chromium.org site.
  2. Open the Chrome Task Manager. (Chrome Menu and then More tools and then Task Manager)
  3. Verify that the main page and the subframe are listed in separate rows associated with different processes.  For example:
    • Tabs: creis.github.io/tests/cross-site-iframe.html - Process ID = 1234
    • Subframe: https://chromium.org - Process ID = 5678

If you see the subframe process in Task Manager, then site isolation is correctly enabled. If you're isolating specific websites, you must include http://csreis.github.io or https://chromium.org in the list of origins.

Turn off site isolation

To turn off site isolation, disable the policies you set above.

After you disable the isolation policy, Chrome uses its pre-site isolation process model to render websites. Different sites might share processes with each other. And cross-site frames might be rendered in the same process as their parent page. Disabling a policy disables field trials of both policies.

Known issues

  • Some minor issues can occur with webpage appearance or input events, such as mouse clicks, touches, or other ways of interacting with the page.
  • Chrome's Developer Tools (DevTools) might not fully support cross-site iFrames in the performance panel or mobile-device emulation.
Was this article helpful?
How can we improve it?