Chrome version 63 and later
Applies to managed Chrome Browsers and Chrome devices.
As a Chrome administrator, you can protect Chrome Browser users who visit untrusted sites by turning on site isolation.
Site isolation separates pages from different websites. When site isolation is turned on, it's harder for malicious sites to bypass security measures that exist to prevent data theft. Learn more about site isolation.
You can turn on site isolation for all sites that users visit or for specific sites.
Step 1: Review policies
Policy | Description and settings |
---|---|
SitePerProcess |
When enabled—Turns on site isolation for all websites for your entire organization. All sites that users visit will run in a dedicated rendering process, isolated from each other. When disabled—The browser will use any dedicated processes for rendering sites. Unset—Users can choose whether to turn on site isolation. Note: Configuring site isolation for all websites gives you the strongest security, but it also increases memory usage by approximately 10% on computers that use Chrome Browser. |
IsolateOrigins |
When enabled—Turns on site isolation only for specific websites that users visit. Sites you specify run in a dedicated rendering process. You can include sites that users sign in to as well as other sites that contain sensitive information, such as productivity sites or intranet sites. When disabled—The browser will not use any dedicated process for rendering sites. |
Step 2: Create a list of sites to isolate
On Chrome 76 and earlier, you create a list of all of the origins that you want to isolate by specifying each origin in full. For example:
https://a.example.com
, https://b.example.com
, https://c.example.com
.
From Chrome 77 and later, you can also specify a range of origins to isolate using a wildcard.
For example, specifying https://[*.]example.com
isolates https://a.example.com
, https://b.example.com
, and https://c.example.com
. In addition, it isolates any matching origin under https://[*.]example.com
, such as:
https://a1.example.com
https://a2.a1.example.com
https://a3.a2.a1.example.com
You can use the wildcard notation to isolate a whole range of origins in a convenient way. For example, specifying https://[*.]corp.solarmora.com
ensures that all Solarmora corporate origins are isolated.
Step 3: Turn on site isolation
Click below for steps, based on how you want to manage these policies.
Admin consoleCan apply for signed-in users on any device or enrolled browsers on Windows, Mac, or Linux. For details, see Understand when settings apply.
Important: Make sure Managed Chrome Browser is turned on for the organization.
-
From the Admin console Home page, go to Devices
Chrome.
- Click Settings
Users & browsers.
- To apply the setting to all users and enrolled browsers, leave the top organizational unit selected. Otherwise, select a child organizational unit.
- Go to the Site isolation section.
- To turn on site isolation for all websites:
- For Site isolation, select Turn on site isolation for all websites.
- (Optional) Enter additional origins, separated by commas, that you want to isolate from their respective websites. For example, enter https://login.example.com to keep it isolated from the rest of https://example.com.
- To turn on site isolation for specific websites:
- For Site isolation, select Turn off site isolation for all websites, except those below.
- Enter a list of websites and origins, separated by commas, that you want to isolate.
- Click Save.
Using Group Policy
In Group Policy Editor, go to Computer or User Configuration Policies
Administrative Templates
Google
Google Chrome for both policies below.
Turn on site isolation for all websites
Leaving this policy Not Configured uses the Unset behavior described above.
-
Locate and enable Enable Site Isolation for every website.
Tip: If you don’t see this policy, download the latest policy template. -
Test site isolation for all websites locally using the command line flag:
- - site-per-process - Deploy the update to your users.
Turn on site isolation for specific websites
Leaving this policy Not Configured uses the Unset behavior described above.
- Locate and enable Enable Site Isolation for specified origins.
Tip: If you don’t see this policy, download the latest policy template.
-
Enter URLs for isolation in a comma-separated list.
Example: https://example.com/,https://othersite.org/ - Test site isolation for these sites locally using the command line flag:
- - isolate-origins=https://example.com, https://subdomain.example.org - Deploy the update to your users.
In your Chrome configuration profile, add or update the following keys. Then, deploy the change to your users.
<dict>
<key>SitePerProcess</key>
<true/>
</dict>
<dict>
<key>IsolateOrigins</key>
<string>”https://www.site1.com,https://www.site2.net”</string>
</dict>
Using your preferred JSON file editor:
- Go to your etc/opt/chrome/policies/managed folder.
- Create or update a JSON file and enter URLs as needed:
- SitePerProcess—Set to true to enable the policy.
- IsolateOrigins—Add the URLs that you want to isolate.
- Test site isolation for these sites locally using the command line flag:
- - isolate-origins=https://example.com, https://subdomain.example.org - Deploy the update to your users.
This example shows how to enable the SitePerProcess policy:
{
"SitePerProcess": "true"
}
This example shows how to isolate site1.com and site2.net:
{
“IsolateOrigins”:”https://site1.com/,https://site2.net/”
}
Step 4: Verify site isolation
To verify that you successfully isolated sites:
- Navigate to a website that has cross-site subframes:
- Go to http://csreis.github.io/tests/cross-site-iframe.html.
- Click Go cross-site (complex page).
- The main page should be on the http://csreis.github.io site. And, the subframe will be on the https://chromium.org site.
- Open the Chrome Task Manager. (Chrome Menu
More tools
Task Manager)
- Verify that the main page and the subframe are listed in separate rows associated with different processes. For example:
- Tabs: creis.github.io/tests/cross-site-iframe.html - Process ID = 1234
- Subframe: https://chromium.org - Process ID = 5678
If you see the subframe process in Task Manager, then site isolation is correctly enabled. If you're isolating specific websites, you must include http://csreis.github.io or https://chromium.org in the list of origins.
Turn off site isolation
To turn off site isolation, disable the policies you set above.
After you disable the isolation policy, Chrome uses its pre-site isolation process model to render websites. Different sites might share processes with each other. And cross-site frames might be rendered in the same process as their parent page. Disabling a policy disables field trials of both policies.
Known issues
- Some minor issues can occur with webpage appearance or input events, such as mouse clicks, touches, or other ways of interacting with the page.
- Chrome's Developer Tools (DevTools) might not fully support cross-site iFrames in the performance panel or mobile-device emulation.