Chromium‎ > ‎Chromium Security‎ > ‎

Actions required to mitigate Speculative Side-Channel Attack techniques

Researchers from Google's Project Zero recently disclosed a series of new attack techniques against speculative execution optimizations used by modern CPUs. This research has implications for products and services that execute externally supplied code, including Chrome and other browsers with support for JavaScript and WebAssembly. Further information about other Google products and services, including Chrome OS, is available on the Google Online Security Blog.

Chrome allows users to enable an optional feature called Site Isolation which mitigates exploitation of these vulnerabilities. With Site Isolation enabled, the data exposed to speculative side-channel attacks are reduced as Chrome renders content for each open website in a separate process. Read more about Site Isolation, including some known issues, and how to enable it via enterprise policies or via chrome://flags.

Chrome's JavaScript engine, V8, will include mitigations starting with Chrome 64, which will be released on or around January 23rd 2018. Future Chrome releases will include additional mitigations and hardening measures which will further reduce the impact of this class of attack. Additionally, the SharedArrayBuffer feature is being disabled by default. The mitigations may incur a performance penalty.

Web developers should consider the following advice to best protect their sites:

  • Where possible, prevent cookies from entering the renderer process' memory by using the SameSite and HTTPOnly cookie attributes, and by avoiding reading from document.cookie.

  • Make sure your MIME types are correct and specify an X-Content-Type-Options: nosniff header for any URLs with user-specific or sensitive content, to get the most out of cross-site document blocking for users who have Site Isolation enabled.

Web developers should also see the Meltdown/Spectre WebFundamentals post.

In line with other browsers, Chrome has disabled SharedArrayBuffer on Chrome 63 starting on Jan 5th, and will modify the behavior of other APIs such as, to help reduce the efficacy of speculative side-channel attacks. This is intended as a temporary measure until other mitigations are in place.