Add an enterprise policy flag for turning on Site Isolation (--site-per-process) |
||||||||||||||||||||
Issue descriptionThis would be helpful for organizations that want to opt-in to Site Isolation as early adopters. Is it possible to get this into M-63?
,
Nov 10 2017
This looks like a variation of issue 760761 , which is about letting enterprises specify a list of sites to isolate. It's also something we're actively exploring in issue 780133, where we're planning to run a trial to see if the full --site-per-process is acceptable in an enterprise setting and thus the list of sites wouldn't be necessary. That said, we could add an experimental enterprise policy flag for full --site-per-process in parallel with running the trial, to have it ready to go for when we deem it ready. pastarmovj@: Can you comment on whether the current knobs in comment 1 are sufficient, or if we need something new? As for M63, that milestone is getting the process model fixes from alexmos@ to support our signin isolation launch (issue 739418). For experimentation only, we could get the enterprise policy option there as well if that's desired. However, there are lots of things for --site-per-process that aren't ready in M63, so I wouldn't recommend enabling it for enterprises there. Many of the enforcements are missing, so it's mainly about process isolation and not protecting site data from compromised renderers yet. (The process isolation alone may be useful for some threats, though.) It doesn't block cross-site documents yet even from non-compromised renderers (e.g., request a sensitive file into an img tag). There's also impact to memory use and process count at high percentiles and things like printing cross-site iframes don't work. See the list of known issues from our recent trial: https://docs.google.com/document/d/1pLFqivT6Ti1pMf5zbL-k8iBf3P1cRc6iCcFspXoV45Q/edit Worth discussing further if this is something to prioritize for M63, or if we should continue our plans for the next trial in issue 780133 first.
,
Nov 10 2017
See also http://go/site-per-process-experiments for the results from our last field trial of this mode, to learn more about our experience with turning it on for a week on Canary.
,
Nov 11 2017
I've got a CL up for review.
,
Nov 13 2017
Generally we have shied away from introducing general mechanisms for setting flags through policy because they are transient and rather follow experimental features which we don't endorse for stable use. Admins on the other end tend to stick with their voodoo magic which they figured solves some issue and get upset when it stops working and no amount of teaching that those are not meant for daily use but for testing helps. We do have something like this for ChromeOS but even there we don't expose it for anyone but Google's admins to set. Back to the concrete case - I think this deserves a quick VC for us to discuss the benefits vs. risks for admins to give them some way to try this feature out earlier. Charlie, Chris do you mind setting up a VC with me, blumberg and georgesak. In a nutshell my understanding was that admins will need not just a binary flag but a list of sites that will be subjected to site isolation? Or is this the more brutal version where each site (as in tab or origin btw?) gets its own process? also the listed issues above (printing etc.) sound like blockers too. On the other hand we do want admins to try out new features and give feedback so finding the right way to do this is a priority indeed.
,
Nov 13 2017
Comment 5: Yes, this is the more comprehensive mode, potentially creating more processes but providing process isolation for every site (i.e., eTLD + 1 plus scheme, like https://google.co.uk) rather than just a subset. I was planning to experiment with that in issue 780133 to see if the subset of sites is unnecessary. That's still in early stages, but it sounds like palmer@ has interest in getting an (experimental?) policy landed in parallel. Yes, there are definitely functional regressions in that mode at the moment, so I would that tradeoff to be clear to admins. I'm happy to meet about it, but I'm in a meeting all day today and out Wednesday. palmer@, could you set something up for Tues, Thurs, or Fri?
,
Nov 13 2017
I scheduled a meeting. Unfortunately I think Friday is the earliest time.
,
Nov 17 2017
,
Nov 18 2017
,
Nov 18 2017
,
Nov 18 2017
Applying "ReleaseBlock-Stable" label per internal mail thread as this is must in for M63.
,
Nov 20 2017
palmer@ we need an update on this blocker please.
,
Nov 20 2017
palmer@ has a CL started at https://chromium-review.googlesource.com/c/chromium/src/+/765008. We're trying to get it finished and passing try jobs.
,
Nov 21 2017
Q: pastarmovj@: can a different enterprise policy be applied based on the target OS? (e.g. can an enterprise turn on --site-per-process on Windows,Mac,Linux but not Android)
,
Nov 21 2017
I think Android was listed mistakenly. As far as I'm aware, we're not intending to enable the policy there in https://chromium-review.googlesource.com/c/chromium/src/+/765008.
,
Nov 22 2017
Still to answer the question - if the admins are managing more than one OS they need to set policies for each one separately anyhow so yes they can specify different OS policies. The only time this is not possible is if they are setting the policies on a per-user base through the cloud policy delivery mechanism that is tied to signing in into the browser. Those are then delivered to the same account on all platforms. No policies get magically available as cloud policy though - it is a manual process of adding them to the cloud admin console so you don't have to worry about this case for now.
,
Nov 22 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ac7d75648d323f2e08afd117b09318a4290e52a2 commit ac7d75648d323f2e08afd117b09318a4290e52a2 Author: Chris Palmer <palmer@chromium.org> Date: Wed Nov 22 20:12:54 2017 Add enterprise policy settings for Site Isolation. Introduce enterprise policies to allow setting Site Isolation flags in enterprise environments. BUG= 783842 , 760761 TBR=sky@chromium.org Change-Id: I59b91aad33403a8138e5543bfb6847d68339b5c5 Cq-Include-Trybots: master.tryserver.chromium.linux:linux_site_isolation Reviewed-on: https://chromium-review.googlesource.com/765008 Commit-Queue: Chris Palmer <palmer@chromium.org> Reviewed-by: Chris Palmer <palmer@chromium.org> Reviewed-by: Bernhard Bauer <bauerb@chromium.org> Reviewed-by: Charlie Reis <creis@chromium.org> Reviewed-by: Julian Pastarmov <pastarmovj@chromium.org> Cr-Commit-Position: refs/heads/master@{#518725} [modify] https://crrev.com/ac7d75648d323f2e08afd117b09318a4290e52a2/chrome/browser/chrome_browser_main.cc [modify] https://crrev.com/ac7d75648d323f2e08afd117b09318a4290e52a2/chrome/browser/chrome_content_browser_client.cc [modify] https://crrev.com/ac7d75648d323f2e08afd117b09318a4290e52a2/chrome/browser/chrome_content_browser_client.h [modify] https://crrev.com/ac7d75648d323f2e08afd117b09318a4290e52a2/chrome/browser/policy/configuration_policy_handler_list_factory.cc [add] https://crrev.com/ac7d75648d323f2e08afd117b09318a4290e52a2/chrome/browser/policy/site_isolation_policy_browsertest.cc [modify] https://crrev.com/ac7d75648d323f2e08afd117b09318a4290e52a2/chrome/browser/prefs/browser_prefs.cc [modify] https://crrev.com/ac7d75648d323f2e08afd117b09318a4290e52a2/chrome/browser/prefs/chrome_command_line_pref_store.cc [modify] https://crrev.com/ac7d75648d323f2e08afd117b09318a4290e52a2/chrome/common/pref_names.cc [modify] https://crrev.com/ac7d75648d323f2e08afd117b09318a4290e52a2/chrome/common/pref_names.h [modify] https://crrev.com/ac7d75648d323f2e08afd117b09318a4290e52a2/chrome/test/BUILD.gn [modify] https://crrev.com/ac7d75648d323f2e08afd117b09318a4290e52a2/chrome/test/data/policy/policy_test_cases.json [modify] https://crrev.com/ac7d75648d323f2e08afd117b09318a4290e52a2/components/policy/resources/policy_templates.json [modify] https://crrev.com/ac7d75648d323f2e08afd117b09318a4290e52a2/content/browser/browser_main_loop.cc [modify] https://crrev.com/ac7d75648d323f2e08afd117b09318a4290e52a2/tools/metrics/histograms/enums.xml
,
Nov 22 2017
M63 goes stable in < 2 weeks. Please target this feature for M64 so that it gets enough test coverage. It's too late for M63 given the magnitude of the change.
,
Nov 22 2017
As per comment #11, leaving this for M63
,
Nov 27 2017
,
Nov 27 2017
This bug requires manual review: We are only 7 days from stable. Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), gkihumba@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 27 2017
,
Nov 27 2017
Approved for M63 branch 3239 per c#11.
,
Nov 27 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e782cd2ad2e04d16a01b0a5d093f0dbcb125b005 commit e782cd2ad2e04d16a01b0a5d093f0dbcb125b005 Author: Chris Palmer <palmer@chromium.org> Date: Mon Nov 27 23:18:12 2017 Add enterprise policy settings for Site Isolation. Introduce enterprise policies to allow setting Site Isolation flags in enterprise environments. BUG= 783842 , 760761 TBR=palmer@chromium.org, sky@chromium.org (cherry picked from commit ac7d75648d323f2e08afd117b09318a4290e52a2) Change-Id: I59b91aad33403a8138e5543bfb6847d68339b5c5 Cq-Include-Trybots: master.tryserver.chromium.linux:linux_site_isolation Reviewed-on: https://chromium-review.googlesource.com/765008 Commit-Queue: Chris Palmer <palmer@chromium.org> Reviewed-by: Chris Palmer <palmer@chromium.org> Reviewed-by: Bernhard Bauer <bauerb@chromium.org> Reviewed-by: Charlie Reis <creis@chromium.org> Reviewed-by: Julian Pastarmov <pastarmovj@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#518725} Reviewed-on: https://chromium-review.googlesource.com/792130 Cr-Commit-Position: refs/branch-heads/3239@{#576} Cr-Branched-From: adb61db19020ed8ecee5e91b1a0ea4c924ae2988-refs/heads/master@{#508578} [modify] https://crrev.com/e782cd2ad2e04d16a01b0a5d093f0dbcb125b005/chrome/browser/chrome_browser_main.cc [modify] https://crrev.com/e782cd2ad2e04d16a01b0a5d093f0dbcb125b005/chrome/browser/chrome_content_browser_client.cc [modify] https://crrev.com/e782cd2ad2e04d16a01b0a5d093f0dbcb125b005/chrome/browser/chrome_content_browser_client.h [modify] https://crrev.com/e782cd2ad2e04d16a01b0a5d093f0dbcb125b005/chrome/browser/policy/configuration_policy_handler_list_factory.cc [add] https://crrev.com/e782cd2ad2e04d16a01b0a5d093f0dbcb125b005/chrome/browser/policy/site_isolation_policy_browsertest.cc [modify] https://crrev.com/e782cd2ad2e04d16a01b0a5d093f0dbcb125b005/chrome/browser/prefs/browser_prefs.cc [modify] https://crrev.com/e782cd2ad2e04d16a01b0a5d093f0dbcb125b005/chrome/browser/prefs/chrome_command_line_pref_store.cc [modify] https://crrev.com/e782cd2ad2e04d16a01b0a5d093f0dbcb125b005/chrome/common/pref_names.cc [modify] https://crrev.com/e782cd2ad2e04d16a01b0a5d093f0dbcb125b005/chrome/common/pref_names.h [modify] https://crrev.com/e782cd2ad2e04d16a01b0a5d093f0dbcb125b005/chrome/test/BUILD.gn [modify] https://crrev.com/e782cd2ad2e04d16a01b0a5d093f0dbcb125b005/chrome/test/data/policy/policy_test_cases.json [modify] https://crrev.com/e782cd2ad2e04d16a01b0a5d093f0dbcb125b005/components/policy/resources/policy_templates.json [modify] https://crrev.com/e782cd2ad2e04d16a01b0a5d093f0dbcb125b005/content/browser/browser_main_loop.cc [modify] https://crrev.com/e782cd2ad2e04d16a01b0a5d093f0dbcb125b005/tools/metrics/histograms/enums.xml
,
Nov 30 2017
+ligi(Chrome browser-Enterprise TEs) for Testing on Chrome on all platforms.
,
Jan 6 2018
I don't think this needs RVG.
,
Jan 6 2018
Consider https://chromium-review.googlesource.com/#/c/chromium/src/+/853121/ merge approved for 64.
,
Jan 6 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/3cc28e744dcaf51b94cd7bdf80d5b91d796f654b commit 3cc28e744dcaf51b94cd7bdf80d5b91d796f654b Author: Xiyuan Xia <xiyuan@chromium.org> Date: Sat Jan 06 16:28:58 2018 cros: Add per-user command line for site isolate policy Apply per-user command line for IsolateOrigins and SitePerProcess policy. TBR=jdufault@chromium.org Bug: 783842 , 760761 Change-Id: I26aa567b7689ea0886062c91f539d7e07d354b8b Reviewed-on: https://chromium-review.googlesource.com/853121 Commit-Queue: Xiyuan Xia <xiyuan@chromium.org> Reviewed-by: Xiyuan Xia <xiyuan@chromium.org> Cr-Commit-Position: refs/heads/master@{#527521} [modify] https://crrev.com/3cc28e744dcaf51b94cd7bdf80d5b91d796f654b/chrome/browser/chromeos/login/session/user_session_manager.cc [modify] https://crrev.com/3cc28e744dcaf51b94cd7bdf80d5b91d796f654b/chrome/browser/chromeos/login/session/user_session_manager.h [modify] https://crrev.com/3cc28e744dcaf51b94cd7bdf80d5b91d796f654b/chrome/browser/ui/webui/flags_ui.cc
,
Jan 6 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/c13b2f4bb1a9da416c942c8cadd2c5443fd7ae54 commit c13b2f4bb1a9da416c942c8cadd2c5443fd7ae54 Author: Xiyuan Xia <xiyuan@chromium.org> Date: Sat Jan 06 23:32:26 2018 [Merge M64] cros: Add per-user command line for site isolate policy Apply per-user command line for IsolateOrigins and SitePerProcess policy. TBR=jdufault@chromium.org (cherry picked from commit 3cc28e744dcaf51b94cd7bdf80d5b91d796f654b) Bug: 783842 , 760761 Change-Id: I26aa567b7689ea0886062c91f539d7e07d354b8b Reviewed-on: https://chromium-review.googlesource.com/853121 Commit-Queue: Xiyuan Xia <xiyuan@chromium.org> Reviewed-by: Xiyuan Xia <xiyuan@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#527521} Reviewed-on: https://chromium-review.googlesource.com/853076 Cr-Commit-Position: refs/branch-heads/3282@{#433} Cr-Branched-From: 5fdc0fab22ce7efd32532ee989b223fa12f8171e-refs/heads/master@{#520840} [modify] https://crrev.com/c13b2f4bb1a9da416c942c8cadd2c5443fd7ae54/chrome/browser/chromeos/login/session/user_session_manager.cc [modify] https://crrev.com/c13b2f4bb1a9da416c942c8cadd2c5443fd7ae54/chrome/browser/chromeos/login/session/user_session_manager.h [modify] https://crrev.com/c13b2f4bb1a9da416c942c8cadd2c5443fd7ae54/chrome/browser/ui/webui/flags_ui.cc
,
Jan 8 2018
Tested this issue on Windows 10, Debian 4.9.65 and Mac 10.12.6 with chrome #65.0.3315.0 and ChromeOS_Peppy #65.0.3314.0 Steps Followed for #site-per-process flag: 1. Launched chrome from command line with the following flag #chrome.exe --site-per-process 2. Open chrome task manager 3. Navigate to https://yahoo.com Observed the subframes for the tab yahoo.com Steps Followed for #isolate-origins flag: 1. Launched chrome from command line with the following flag #chrome.exe --isolate-origins=https://youtube.com 2. Open chrome task manager 3. Navigate to https://youtube.com and in other tab navigate to https://yahoo.com Observed the subframes for youtube tab but not for yahoo tab. Attaching the screen-cast for reference. Note : Tested this issue on ChromeOS_Peppy/10289.0.0 #65.0.3314.0 Edited the /etc/chrome_dev.conf according to the flags palmer@ Could you confirm this is the expected behavior of this feature. Thank You...
,
Jan 8 2018
#30: I sent you a document with full test instructions and expectations.
,
Mar 2 2018
,
May 17 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/5171e8ebb578393308ccbc8beb9c376542c1feb8 commit 5171e8ebb578393308ccbc8beb9c376542c1feb8 Author: Chris Palmer <palmer@chromium.org> Date: Thu May 17 00:09:58 2018 Create Android-specific enterprise policy settings for Site Isolation. SitePerProcess and IsolateOrigins work on Chrome Desktop (including Chrome OS). We don't want to make them work on Android, because enterprises that want and can use SI on Desktop might not have an Android fleet capable of it yet. For those that do also want SI on Android, these new Android-specific settings enable that. BUG= 783842 , 760761 TEST=Enable one of the new Android-specific policy settings (e.g. IsolateOriginsAndroid) for an enterprise-managed Android device, then follow the verification steps given in https://support.google.com/chrome/a/answer/7581529 (under "Verify Site Isolation"). Then do the same but with the other policy setting (e.g. SitePerProcessAndroid). For both, check also that enabling only the Android-specific policies does not enable SI on Desktop machines in the same management domain. Change-Id: Id304937132723a6856b0e507bc4b9d801403c429 Reviewed-on: https://chromium-review.googlesource.com/1026390 Reviewed-by: Charlie Reis <creis@chromium.org> Reviewed-by: Bernhard Bauer <bauerb@chromium.org> Reviewed-by: Julian Pastarmov <pastarmovj@chromium.org> Commit-Queue: Chris Palmer <palmer@chromium.org> Cr-Commit-Position: refs/heads/master@{#559352} [modify] https://crrev.com/5171e8ebb578393308ccbc8beb9c376542c1feb8/chrome/browser/policy/configuration_policy_handler_list_factory.cc [modify] https://crrev.com/5171e8ebb578393308ccbc8beb9c376542c1feb8/chrome/test/data/policy/policy_test_cases.json [modify] https://crrev.com/5171e8ebb578393308ccbc8beb9c376542c1feb8/components/policy/resources/policy_templates.json [modify] https://crrev.com/5171e8ebb578393308ccbc8beb9c376542c1feb8/tools/metrics/histograms/enums.xml |
||||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||||
Comment 1 by lukasza@chromium.org
, Nov 10 2017