caption: Enable Site Isolation for specified origins
desc: |-
Setting the policy means each of the named origins in a comma-separated list runs in a dedicated process. Each named origin's process will only be allowed to contain documents from that origin and its subdomains. For example, specifying https://a1.example.com/ allows https://a2.a1.example.com/ in the same process, but not https://example.com or https://b.example.com.
Since <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 77, you can also specify a range of origins to isolate using a wildcard. For example, specifying https://[*.]corp.example.com will give every origin underneath https://corp.example.com its own dedicated process, including https://corp.example.com itself, https://a1.corp.example.com, and https://a2.a1.corp.example.com.
Note that all sites (i.e., scheme plus eTLD+1, such as https://example.com) are already isolated by default on Desktop platforms, as noted in the <ph name="SITE_PER_PROCESS_POLICY_NAME">SitePerProcess</ph> policy. This <ph name="ISOLATE_ORIGINS_POLICY_NAME">IsolateOrigins</ph> policy is useful to isolate specific origins at a finer granularity (e.g., https://a.example.com).
Also note that origins isolated by this policy will be unable to script other origins in the same site, which is otherwise possible if two same-site documents modify their document.domain values to match. Administrators should confirm this uncommon behavior is not used on an origin before isolating it.
Setting the policy to off or leaving it unset lets users change this setting.
Note: For Android, use the <ph name="ISOLATE_ORIGINS_ANDROID_POLICY_NAME">IsolateOriginsAndroid</ph> policy instead.
device_only: false
example_value: https://a.example.com/,https://othersite.org/,https://[*.]corp.example.com
features:
dynamic_refresh: false
per_profile: false
future_on:
- fuchsia
owners:
- [email protected]
- [email protected]
schema:
type: string
supported_on:
- chrome.*:63-
- chrome_os:63-
tags:
- system-security
type: string
Codebase Browser
chromium