Google Chrome Enterprise

Planning your return to office strategy? See how Chrome OS can help.

Protect your data with site isolation

Chrome version 63 and later

Applies to managed Chrome browsers and Chrome OS devices.

As a Chrome administrator, you can protect Chrome Browser users who visit untrusted sites by turning on site isolation. 

Site isolation separates pages from different websites. When site isolation is turned on, it's harder for malicious sites to bypass security measures that exist to prevent data theft. Learn more about site isolation.

You can turn on site isolation for all sites that users visit or for specific sites.

Step 1: Review policies

Policy Description and settings
SitePerProcess

When enabled—Turns on site isolation for all websites for your entire organization. All sites that users visit will run in a dedicated rendering process, isolated from each other.

When disabled—The browser will use any dedicated processes for rendering sites.

Unset—Users can choose whether to turn on site isolation.

Note: Configuring site isolation for all websites gives you the strongest security, but it also increases memory usage by approximately 10% on computers that use Chrome Browser.
IsolateOrigins

When enabled—Turns on site isolation only for specific websites that users visit. Sites you specify run in a dedicated rendering process. You can include sites that users sign in to as well as other sites that contain sensitive information, such as productivity sites or intranet sites.

When disabled—The browser will not use any dedicated process for rendering sites.

Unset—Users can choose whether to turn on site isolation.

Step 2: Create a list of sites to isolate

On Chrome 76 and earlier, you create a list of all of the origins that you want to isolate by specifying each origin in full. For example:
https://a.example.comhttps://b.example.comhttps://c.example.com.

From Chrome 77 and later, you can also specify a range of origins to isolate using a wildcard.

For example, specifying https://[*.]example.com isolates https://a.example.com, https://b.example.com, and https://c.example.com. In addition, it isolates any matching origin under https://[*.]example.com, such as:

  • https://a1.example.com
  • https://a2.a1.example.com
  • https://a3.a2.a1.example.com

You can use the wildcard notation to isolate a whole range of origins in a convenient way. For example, specifying https://[*.]corp.solarmora.com ensures that all Solarmora corporate origins are isolated.

Step 3: Turn on site isolation

Click below for steps, based on how you want to manage these policies.

Admin console

Can apply for signed-in users on any device or enrolled browsers on Windows, Mac, or Linux. For details, see Understand when settings apply.

Important: Make sure Managed Chrome Browser is turned on for the organization.

  1. From the Admin console Home page, go to Devicesand thenChrome.
  2. Click Settingsand thenUsers & browsers.
  3. To apply the setting to all users and enrolled browsers, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  4. Go to the Site isolation section.
  5. To turn on site isolation for all websites:
    1. For Site isolation, select Turn on site isolation for all websites.
    2. (Optional) Enter additional origins, separated by commas, that you want to isolate from their respective websites. For example, enter https://login.example.com to keep it isolated from the rest of https://example.com.
  6. To turn on site isolation for specific websites:
    1. For Site isolation, select Turn off site isolation for all websites, except those below.
    2. Enter a list of websites and origins, separated by commas, that you want to isolate.
  7. Click Save.
Windows
Applies to Windows users who sign in to a managed account on Chrome browser.

Using Group Policy

In Group Policy Editor, go to Computer or User Configuration and then Policies and then Administrative Templates and then Google and then Google Chrome for both policies below. 

Turn on site isolation for all websites

Leaving this policy Not Configured uses the Unset behavior described above.

  1. Locate and enable Enable Site Isolation for every website.
    Tip: If you don’t see this policy, download the latest policy template.

  2. Test site isolation for all websites locally using the command line flag: 
    - - site-per-process

  3. Deploy the update to your users.

Turn on site isolation for specific websites

     Leaving this policy Not Configured uses the Unset behavior described above.

  1. Locate and enable Enable Site Isolation for specified origins.

    Tip: If you don’t see this policy, download the latest policy template.

  2. Enter URLs for isolation in a comma-separated list.
    Example: https://example.com/,https://othersite.org/

  3. Test site isolation for these sites locally using the command line flag: 
    - - isolate-origins=https://example.com, https://subdomain.example.org
  4. Deploy the update to your users.
Mac
Applies to Mac users who sign in to a managed account on Chrome browser.

In your Chrome configuration profile, add or update the following keys. Then, deploy the change to your users.

<dict>
<key>SitePerProcess</key>
  <true/>
</dict>
<dict>
<key>IsolateOrigins</key>
  <string>”https://www.site1.com,https://www.site2.net”</string>
</dict>

Linux
Applies to Linux users who sign in to a managed account on Chrome browser.

Using your preferred JSON file editor:

  1. Go to your etc/opt/chrome/policies/managed folder.
  2. Create or update a JSON file and enter URLs as needed:
    • SitePerProcess—Set to true to enable the policy.
    • IsolateOrigins—Add the URLs that you want to isolate. 
  3. Test site isolation for these sites locally using the command line flag: 
    - - isolate-origins=https://example.com, https://subdomain.example.org
  4. Deploy the update to your users.

This example shows how to enable the SitePerProcess policy:

{
"SitePerProcess": "true"
}

This example shows how to isolate site1.com and site2.net:  
{
“IsolateOrigins”:”https://site1.com/,https://site2.net/”
}

Step 4: Verify site isolation

To verify that you successfully isolated sites:

  1. Navigate to a website that has cross-site subframes:  
    1. Go to http://csreis.github.io/tests/cross-site-iframe.html.
    2. Click Go cross-site (complex page).
    3. The main page should be on the http://csreis.github.io site. And, the subframe will be on the https://chromium.org site.
  2. Open the Chrome Task Manager. (Chrome Menu and then More tools and then Task Manager)
  3. Verify that the main page and the subframe are listed in separate rows associated with different processes.  For example:
    • Tabs: creis.github.io/tests/cross-site-iframe.html - Process ID = 1234
    • Subframe: https://chromium.org - Process ID = 5678

If you see the subframe process in Task Manager, then site isolation is correctly enabled. If you're isolating specific websites, you must include http://csreis.github.io or https://chromium.org in the list of origins.

Turn off site isolation

To turn off site isolation, disable the policies you set above.

After you disable the isolation policy, Chrome uses its pre-site isolation process model to render websites. Different sites might share processes with each other. And cross-site frames might be rendered in the same process as their parent page. Disabling a policy disables field trials of both policies.

Known issues

  • Some minor issues can occur with webpage appearance or input events, such as mouse clicks, touches, or other ways of interacting with the page.
  • Chrome's Developer Tools (DevTools) might not fully support cross-site iFrames in the performance panel or mobile-device emulation.
Was this helpful?
How can we improve it?
true
Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
410864
false