Skip to main content

Hello everyone,



I am trying to find out how to enable a Chrome flag on the Chrome manifest. The flag I want enabled is SitePerProcess which is Strict Site Isolation, the reason I am doing this is because of all this new specter and meltdown issue. I have looked into the Policy List on Chromium : [http://www.chromium.org/administrators/policy-list-3#SitePerProcess](link URL)



The problem I am having is I don't know which is the proper way to add this to the manifest. Does this look right ? This is just an example, any help will be greatly appreciated.



<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>SitePerProcess</key>
<true/>
</dict>



Let me know what you all think, thank you.

We're testing that in our environment, but decided to enforce it as a configuration profile (since we want this to be an immutable setting). Your syntax looks fine for the plist to enforce that value, but you might consider creating a Config Profile in Jamf Pro, uploading the Chrome plist as a payload under the Custom Settings section, and scoping it out from there.

Thanks for the response, I will try your method after testing the plist on a couple of test machines. Thank you.

Tried using <true /> (as outlined by Google), and <true/> (common sense)...neither work.





Tried using a Configuration Profile. Tried User level...then tried Computer level...neither work.



Tried using defaults write com.google.Chrome SitePerProcess -bool true as the user...nada.



Definitely using Google Chrome 63.x, the setting doesn't seem to work on standard Google Chrome.





I wonder if this setting only works with Google Chrome for Enterprise?



Maybe Google needs to #fixTheirShit?

@donmontalvo I can't remember where I saw it mentioned, but I read that that the managed settings are not reflected in the Chrome UI (so yes Google still need to #fixTheirShit).



On this page https://support.google.com/chrome/a/answer/7581529 there are steps to "Verify site isolation".



I deployed a profile with the following as a custom payload. Machines with this profile passed the test mentioned above (ie sites were isolated). The Chrome UI reports that Strict Site Isolation is not enabled.



<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>SitePerProcess</key>
<true/>
</dict>
</plist>

@mrowell thanks, you're the second person to state this.



Ed Marczak (@marczak) just left Google, he suggested opening a ticket.

The configuration profile method works. Chrome://flags and Chrome://Policy are different settings. If you deploy the configuration profile, you can verify it was successful at chrome://policy.



Do not go off chrome:/flags that is just a way to "force" enable other features.



They do state this in their documentation but it is very easy to miss. I must of spent a few hours trying to enable the flag before I realized that the policy was already enabled.



"If you choose to deploy the site isolation feature, Google recommends you use Chrome policy and not the command line flag."

@zachary.fisher You are absolutely right, I spent hours reading through documentation until I found this, to verify if it worked you have to go to chrome://policy . I was able to make it work and test it as Google has documentation and a test site that they have created for testing if Strict Site Isolation is actually working or not. Here is the site [https://support.google.com/chrome/a/answer/7581529](link URL)

Reply


Terms & ConditionsCookie settings