Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Browsers
Chrome & Chromium
Anyone using Chrome's flags to increase security and/or privacy
Message
<blockquote data-quote="Windows_Security" data-source="post: 641474" data-attributes="member: 50782"><p><strong>Very stable options</strong></p><p>#extension-content-verification</p><p>This flag can be used to turn on verification that the contents of the files on disk for extensions from the webstore match what they're expected to be. The choice STRICT enforces a hash check. This option can not be turned off by software (to prevent tampering with by malware). Although not the same it can be compared with a signature check of normal programs (but it is a hash check for extensions in Chrome store).</p><p></p><p>#enable-permissions-blacklist</p><p>This requires you to have Chrome safe browsing feature enabled. URL-filtering is a numbers game, the more real users surfing or crawling the internet, the more URL's are collected. Chrome has because of ANdroid OS and its installed base of the browser the largest user base. When this setting is enabled visiting a website on the Google Chrome blacklist, will reduce permission in the browser (e.g. an ask or allow plug-ins to run code outside the sandbox, or use of camera will be turned into a no when enabling this setting).</p><p></p><p><strong>Stable options</strong></p><p>#enable-site-per-process</p><p>This security mode ensures that a website is rendered by a separate process. In this mode cross site iframes will be processes OOP (out of process) in it sown sandbox.These "strictly isolates" pages are never allowed to share a process with regular web pages, even when navigating in a single tab. This is generally acceptable from a compatibility perspective because no scripting is expected between normal pages and WebUI pages, and because these can never be loaded in subframes of unprivileged pages. With the current level of support for out-of-process iframes, Chrome can also keep web content out of privileged extension processes. There is a interesting read about this process (started in 2012) <a href="https://www.chromium.org/developers/design-documents/site-isolation" target="_blank">Site Isolation - The Chromium Projects</a>.</p><p></p><p>#enable-top-document-isolation</p><p>When you allow the enable-site-per-process feature, the number of renderer processes will grow with the number of websites opened in your browser. When Chrome uses a lot of renderer process it will automatically start to re-use processes. This sort of defeats the purpose of enable-site-per-process. This feature (enable-top-document-isolation) puts cross-site iframes in ONE separate process from the top document. In this mode, iframes from different third-party sites will be allowed to share a process. Historically, third party content such as ads and analytics used document.write to load script resources. So by grouping them together in one separate process you gain performance and keep resources available for others (e.g. for enable-site-per-process).</p><p></p><p><strong>Could impactwebsites</strong></p><p>#disallow-doc-written-script-loads</p><p>This blocks loading or cross-origin, parser-blocking scripts inserted via document.write in the main document. It was intended to be automatically enable on slow networks (e.g. 2G). Historically, third party content such as ads and analytics used document.write to load script resources. Despite support for asynchronous loading, websites still keep using document.write. This harms performance (and potentially also security). Since it is used by ads and analytics, any block generated by this feature probably don't have a negative impact anyway (unless you like to be tracked and read ads). Edit: when you have a javascript pop-up blocker installed you don't need to enable this setting.</p><p></p><p>#enable-framebusting-needs-sameorigin-or-usergesture</p><p>Don't permit an iframe to navigate the top level browsing context unless they are same-origin or the iframe is processing a user gesture. This was implemented with Chrome 56 but pulled back with chrome 57 after reported breakage. It might impacts some user verification/payment checks when doing online shopping. I have enabled it on my Asus Transformer, but disabled it on my wife's laptop and my desktop. When I do online banking or book flights and hotels (on travel) with my Asus everything seems to run fine (I am recognised and are allowed to finalize payment).</p></blockquote><p></p>
[QUOTE="Windows_Security, post: 641474, member: 50782"] [B]Very stable options[/B] #extension-content-verification This flag can be used to turn on verification that the contents of the files on disk for extensions from the webstore match what they're expected to be. The choice STRICT enforces a hash check. This option can not be turned off by software (to prevent tampering with by malware). Although not the same it can be compared with a signature check of normal programs (but it is a hash check for extensions in Chrome store). #enable-permissions-blacklist This requires you to have Chrome safe browsing feature enabled. URL-filtering is a numbers game, the more real users surfing or crawling the internet, the more URL's are collected. Chrome has because of ANdroid OS and its installed base of the browser the largest user base. When this setting is enabled visiting a website on the Google Chrome blacklist, will reduce permission in the browser (e.g. an ask or allow plug-ins to run code outside the sandbox, or use of camera will be turned into a no when enabling this setting). [B]Stable options[/B] #enable-site-per-process This security mode ensures that a website is rendered by a separate process. In this mode cross site iframes will be processes OOP (out of process) in it sown sandbox.These "strictly isolates" pages are never allowed to share a process with regular web pages, even when navigating in a single tab. This is generally acceptable from a compatibility perspective because no scripting is expected between normal pages and WebUI pages, and because these can never be loaded in subframes of unprivileged pages. With the current level of support for out-of-process iframes, Chrome can also keep web content out of privileged extension processes. There is a interesting read about this process (started in 2012) [URL='https://www.chromium.org/developers/design-documents/site-isolation']Site Isolation - The Chromium Projects[/URL]. #enable-top-document-isolation When you allow the enable-site-per-process feature, the number of renderer processes will grow with the number of websites opened in your browser. When Chrome uses a lot of renderer process it will automatically start to re-use processes. This sort of defeats the purpose of enable-site-per-process. This feature (enable-top-document-isolation) puts cross-site iframes in ONE separate process from the top document. In this mode, iframes from different third-party sites will be allowed to share a process. Historically, third party content such as ads and analytics used document.write to load script resources. So by grouping them together in one separate process you gain performance and keep resources available for others (e.g. for enable-site-per-process). [B]Could impactwebsites[/B] #disallow-doc-written-script-loads This blocks loading or cross-origin, parser-blocking scripts inserted via document.write in the main document. It was intended to be automatically enable on slow networks (e.g. 2G). Historically, third party content such as ads and analytics used document.write to load script resources. Despite support for asynchronous loading, websites still keep using document.write. This harms performance (and potentially also security). Since it is used by ads and analytics, any block generated by this feature probably don't have a negative impact anyway (unless you like to be tracked and read ads). Edit: when you have a javascript pop-up blocker installed you don't need to enable this setting. #enable-framebusting-needs-sameorigin-or-usergesture Don't permit an iframe to navigate the top level browsing context unless they are same-origin or the iframe is processing a user gesture. This was implemented with Chrome 56 but pulled back with chrome 57 after reported breakage. It might impacts some user verification/payment checks when doing online shopping. I have enabled it on my Asus Transformer, but disabled it on my wife's laptop and my desktop. When I do online banking or book flights and hotels (on travel) with my Asus everything seems to run fine (I am recognised and are allowed to finalize payment). [/QUOTE]
Insert quotes…
Verification
Post reply
Top
