Additional details to mitigate exploitation in @googlechrome here: https://www.chromium.org/Home/chromium-security/ssca … 
https://twitter.com/laparisa/status/948683252436426752 …
-
-
Replying to @laparisa @googlechrome
"Don’t serve user-specific or sensitive content from URLs that attackers can predict or easily learn." <-- Umm...
2 replies 2 retweets 21 likes -
To be clear, this isn't a criticism of Chrome, just an expression of the existential horror this result implies for the fundamental architecture of the Web.
2 replies 2 retweets 24 likes -
The real story in that doc is the years of hard work
@nasko and others have done on Site Isolation in chrome.1 reply 13 retweets 49 likes -
To be honest, if I'd been the executive in charge of budget for the project, I'd probably have said that work was pretty far on the wrong side of a cost/benefit calculation.
1 reply 1 retweet 21 likes -
Now that work looks incredibly prescient and creates a differentiator between Chrome and all its competitors that is in a class by itself.
4 replies 9 retweets 49 likes -
Shows also the value of running something like P0 in being able to get these kind of hard calls right, and being prepared for entirely new bug classes that nobody else is even thinking about except to throw up their hands.
2 replies 6 retweets 36 likes -
Not true that nobody else is even thinking about isolating sites. There are legitimate reasons to prefer software isolation over HW.
1 reply 1 retweet 5 likes -
The most obvious example: Web pages can, and do, have way more cross-domain iframes than a reasonable OS process limit can account for.
3 replies 0 retweets 3 likes
That doesn’t mean we shouldn’t do multiprocess Site Isolation, but we shouldn’t pretend it’s a panacea.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.