2.14 Ensure 'Require Site Isolation for every site' is set to 'Enabled'

Information

This setting controls if every website will load into its own process.

Disabled (0): Doesn't turn off site isolation, but it lets users opt out.

The recommended state for this setting is: Enabled (1)

Rationale:

Chrome will load each website in its own process. Even if a site bypasses the same-origin policy, the extra security will help stop the site from stealing your data from another website.

Impact:

If the policy is enabled, each site will run in its own process which will cause the system to use more memory. You might want to look at the Enable Site Isolation for specified origins policy setting to get the best of both worlds - isolation and limited impact for users - by using Enable Site Isolation for specified origins with a list of the sites you want to isolate.

Solution

To establish the recommended configuration via Group Policy, set the following UI path to Enabled:

Computer Configuration\Polices\Administrative Templates\Google\Google Chrome\Require Site Isolation for every site

Default Value:

Unset (Same as Disabled, but user can change)

See Also

https://workbench.cisecurity.org/benchmarks/8691

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-4, CSCv7|10.5

Plugin: Windows

Control ID: 215bcc68a7c9f31076ac27d8105b915f106b443db62b6e67e5f1060a11ea3c3e