Spectra and Firefox/Chrome

donmontalvo
Esteemed Contributor III

Firefox (mainline and ESR)
Mozilla Foundation Security Advisory 2018-01 | Speculative execution side-channel attack ("Spectre")
- Fixed in Firefox 57.0.4 (mainline), or Firefox ESR 52.x.

Google Chrome
Actions required to mitigate Speculative Side-Channel Attack techniques
- Google Chrome for Enterprise can be handled by Google Admin policy.
- For standard Google Chrome, looks like the fix is GUI, go to [chrome://flags/#enable-site-per-process](chrome://flags/#enable-site-per-process) > Strict site isolation > Enable.

Ether beer to anyone who can come up with a way to programmatically set the non-enterprise version of Google Chrome. :)

--
https://donmontalvo.com
5 REPLIES 5

saul_herman
New Contributor II

I am using the "Custom settings" option in a config profile with the following set:

65c303624dac46a5a0188363222ab16c

Works really well, but only once Chrome gets relaunched.

donmontalvo
Esteemed Contributor III

@saul.herman Nice, they mention the SitePerProcess key, wish they'd get their documentation updated.

We'll test this...and yea ether beer...

--
https://donmontalvo.com

donmontalvo
Esteemed Contributor III

saul_herman
New Contributor II

@donmontalvo It might not show up unde the chrome://flags URL but if you go to chrome://policy it will show there as being enabled. Have you tried that?

donmontalvo
Esteemed Contributor III

@saul.herman yep, confirming you are right. Thanks for the heads up!

--
https://donmontalvo.com