0

Add definitions to the Process Model and Site Isolation doc

Add definitions for Citadel and jail-style enforcement.

Test: No behaviour change
Bug: 1506082
Change-Id: I656bedb37a6e2343090c1b6d2b3abf0c24a079a4
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5072176
Commit-Queue: Sharon Yang <yangsharon@chromium.org>
Reviewed-by: Charlie Reis <creis@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1232036}
This commit is contained in:
Sharon Yang
2023-12-01 18:20:43 +00:00
committed by Chromium LUCI CQ
parent 6767be802b
commit 43171370d3

@ -51,12 +51,18 @@ Site Isolation involves:
and workers from a single web site or origin, even if such documents are in
iframes.
* **Browser-Enforced Restrictions**: The privileged browser process can monitor
IPC messages from locked processes to limit their actions or access to site
data (e.g., using ChildProcessSecurityPolicy::CanAccessDataForOrigin).
IPC messages from renderer processes to limit their actions or access to
site data (e.g., using ChildProcessSecurityPolicy::CanAccessDataForOrigin).
This [prevents compromised renderer
processes](https://chromium.googlesource.com/chromium/src/+/main/docs/security/compromised-renderers.md)
from asking for cross-site data, using permissions granted to other sites,
etc.
etc. These restrictions take two main forms:
* _"Jail" checks_: Ensure that a process locked to a particular site can only
access data belonging to that site. If all processes are locked, this is
sufficient protection.
* _"Citadel" checks_: Ensure that unlocked processes cannot access data
for sites that require a dedicated process. This adds protection in cases
where full Site Isolation is not available, such as Android.
* **Network Response Limitations**: Chromium can ensure that locked renderer
processes are only allowed to receive sensitive data (e.g., HTML, XML,
JSON) from their designated site or origin, while still allowing