Update Mozilla starts rolling out Site Isolation to all Firefox channels

HarborFront

Level 59
Verified
Content Creator
Oct 9, 2016
4,825
Mozilla has started rolling out the Site Isolation security feature to all Firefox channels, protecting users from attacks launched via malicious websites.

Until today, Site Isolation could only be enabled by users of Firefox Nightly, the release channel used by Mozilla to test new features not yet ready for a wider rollout.

Site Isolation has been under development since April 2018 under the Project Fission codename, with Mozilla first announcing plans to add it to the Firefox web browser in February 2019.

A similar Site Isolation feature is also available in Google Chrome, first released as an experimental feature for Chrome 63 users in December 2017, and later made generally available in Chrome 67, released at the end of May 2018.

How Site Isolation works​

The new Site Isolation security architecture acts as an additional security boundary between sites, and it works by completely separating users' web content, loading all sites in separate processes.

Thus it prevents malicious websites from accessing private data (including passwords, credit card numbers, or other sensitive info) loaded from other sites.

For instance, with this new feature enabled, Firefox can protect users from attackers exploiting Meltdown and Spectre vulnerabilities that allow them to harvest sensitive data by reading memory content anywhere within a process's address space.

"This fundamental redesign of Firefox’ Security architecture extends current security mechanisms by creating operating system process-level boundaries for all sites loaded in Firefox for Desktop," Mozilla engineers Anny Gakhokidze and Neha Kochar said.

"Isolating each site into a separate operating system process makes it even harder for malicious sites to read another site’s secret or private data."


How Site Isolation works
How Site Isolation works (Mozilla)

Besides obvious security advantages, Site Isolation also comes with performance benefits:

  • By placing more pages into separate processes, we can ensure that doing heavy computation or garbage collection on one page will not degrade the responsiveness of pages in other processes.
  • Using more processes to load websites allows us to spread work across many CPU cores and use the underlying hardware more efficiently.
  • Due to the finer-grained separation of sites, a subframe or a tab crashing will not affect websites loaded in different processes, resulting in improved application stability and better user experience.

How to enable Site Isolation​

You can start testing Site Isolation right now by enabling it on any Firefox release channel, including Release, Beta, or Nightly.

To do that, you have to follow these step-by-step instructions:

To enable Site Isolation on Firefox Nightly:

  1. Navigate to about:preferences#experimental
  2. Check the “Fission (Site Isolation)” checkbox to enable.
  3. Restart Firefox.
To enable Site Isolation on Firefox Beta or Release:

  1. Navigate to about:config.
  2. Set `fission.autostart` pref to `true`.
  3. Restart Firefox.

Enabling Site Isolation
Enabling Site Isolation

Toggling on Site Isolation is highly recommended given that it "sandboxes web pages and web frames, isolating them from each other, further strengthening Firefox security."

Once enabled, it will protect you from current and future security vulnerabilities that would allow malicious websites to access private info loaded from other sites.


 

silversurfer

Level 74
Verified
Trusted
Content Creator
Malware Hunter
Aug 17, 2014
6,334
So apps like "Temporary Containers" or "Firefox Multi-Account Containers" and so on would bring no (security/privacy) gain anymore?

In terms of privacy, "Firefox Multi-Account Containers" should be still worth to use even more on shopping websites...

Temporary Containers would be redundant and it's probably less secure than this new Site-Isolation by Mozilla.
 

geminis3

Level 18
Verified
Sep 10, 2015
859
If you're on Nightly channel you can enable it from the Experiments tab on Settings

1621518255925.png


There's also an interesting toggle to disable Win32K API calls from the browser

1621518350893.png



 

SecureKongo

Level 21
Verified
Feb 25, 2017
1,089
So apps like "Temporary Containers" or "Firefox Multi-Account Containers" and so on would bring no (security/privacy) gain anymore?
I actually think neither Temporary Containers nor Multi-Account Containers are necessary anymore when enabling the strict mode in the firefox tracking protection settings. Setting it to strict enables total cookie protection which isolates the cookies from each website.


 

SecureKongo

Level 21
Verified
Feb 25, 2017
1,089
For people using Nightly this could be an option to check wether fission is enabled or not:

Enabling Fission​


A "[F]" in a loaded tab's tooltip indicates that Fission is enabled
Fission is still in active development, and can only be enabled in Firefox Nightly.
  1. In about:config, set the "fission.autostart" and "gfx.webrender.all" prefs to "true". DO NOT edit any other "fission.*" or "gfx.webrender.*" prefs.
  2. Restart Nightly.
You can verify that Fission has been enabled by hovering over the current tab. If the tooltip contains a "[F]", Fission is enabled. Background tabs' tooltips might not have the "[F]" if they are not loaded yet.


For others using the stable release, the approach that @silversurfer has mentioned is actually working.
 

rain2reign

Level 5
Jun 21, 2020
244
I actually think neither Temporary Containers nor Multi-Account Containers are necessary anymore when enabling the strict mode in the firefox tracking protection settings. Setting it to strict enables total cookie protection which isolates the cookies from each website.


I use Multi-Account Containers alongside custom with settings: everything ticked, block all third-party cookies, and block trackers in all windows. Strict only blocks cross-site cookies, unfortunately. Aside from that, it's a nice addon to use, if you need to manage or access more than 1 account at the same time without needing multiple browser profiles or browsers themselves for that matter. :)
 

SecureKongo

Level 21
Verified
Feb 25, 2017
1,089
I use Multi-Account Containers alongside custom with settings: everything ticked, block all third-party cookies, and block trackers in all windows. Strict only blocks cross-site cookies, unfortunately. Aside from that, it's a nice addon to use, if you need to manage or access more than 1 account at the same time without needing multiple browser profiles or browsers themselves for that matter. :)
Doesn't really matter that it only blocks cross-site cookies as it's creating an individual cookie "jar" for every website. I personally think that multi-account containers are just a pain to use. But if they are working fine for you, keep using them. :)
 
Top