Vanadium - Site Isolation Sandboxing

"You said that we could come to you if we had any questions..."

.

I want to get a proper understanding of site isolation so that I use it correctly and avoid "bad" practices. I've searched but didn't find specific enough answers.

This has been asked in general ways several times before by others but they have gone unanswered or been misdirected (example) Which is why I'm asking anally explicit questions to avoid general talk and get to the bottom of this, hopefully.

For reference, i have already read the following links carefully multiple times:

https://grapheneos.org/usage#web-browsing
https://www.chromium.org/Home/chromium-security/site-isolation/
https://www.chromium.org/developers/design-documents/site-isolation/

.

I understand that there is two elements to site isolation;

• standard site isolation policy as define by chromium which are "domain" based,

• and process isolation, intended as a secondary layer for memory sandboxing.

  I specifically want to ask about the "standard" site isolation features, not the process isolation, since it seems the fundamental features are placed there.

Based on my testing of vanadium and using a logged in instance of GOS Forum site i can see that there is essentially 2 partitions. The standard partition, and the "private browsing" partition. Visiting the gos forum "logged-in" in either of these partitions does not carry over to the other partition, it seems. It seems that I can have two separate instances of GOS forums this way.

Question 1: can I actually trust that this is the case and these two instances are fully isolated from each other (for the same website)?

Question 2: Is this bidirectional? Or can one see into the other but not the other way around? My testing seemed to suggest bidirectionality (neither sees into the other).

.

When I however tried to open the same site in the same partition but in a different tab (tried both in standard and private browsing modes) the site is not isolated between different tabs. Which suggests that tabs, even in private browsing, are not isolated from each other, at least for the same site. This seems to be in line with descriptions in the linked documentation regarding "sites being separated into own processes".

Question 3: Am I correct about the above paragraph? Have I understood correctly?

.

But this still might not be indicative of multiple sites sharing the same partition.

The real scenario that I (and likely others) want to protect from (and get an understanding of) is browsing from site to site, link to link, as you do, and staying private from those sites knowing which sites and pages i visited previously.

This itself is split into two cases:

• Case 1 - where I am logged into an account (google for example), and am travelling to other sites.
• Case 2 - where I am not logged into anything and travelling from site to site.

Question 4: due to the site isolation feature, is each site i visit separated into its own site container within a partition and not able to see any saved (or in memory) data from the other sites? Or are they able to see each others' cookies and other data?

Question 5: would sites that have google analytics or other components (JS bundles) built into them be able to see the google account in case 1?

Question 6: what about sites that don't have any google components built into them, will they be able to see the google account in case 1?

Question 7: if sites are isolated within the same partition and are not able to see any data (cookies and other) from other sites then how do cross site cookies and cross site signalling work? Seems like an incompatible concept.

Question 8: if sites within a partition can see each others' data (cookies, DOM storage, etc), if I open 10 different sites in 10 different tabs, (all remaining open, case 2) will the last site opened see the cookies set from first site? And will the first site see the cookies from the last site opened?

Question 9: Does site isolation (containment) work exactly the same for standard browsing as compared to private browsing or does private browsing offer any extra isolation of any kind?

Question 10: the additional site isolation added by GrapheneOS to Vanadium is of the "process" type and in the memory exploit protection realm, yes?

.

.

Okay. And to redeem myself, I did NOT say it like him. So don't be pointin'.
Context: https://www.youtube.com/watch?v=gWvnkuXkHaI
More context: https://www.youtube.com/watch?v=EPQZkhC_QQs

User2288 Once a web site sets a cookie, that cookie is normally available to that site in all tabs, but not across the regular/incognito boundary. That availability across tabs for the same site does not mean that the tabs are run by the same process, or that they aren't -- the issues are orthogonal. Whether or not cookies are shared across sites is a very complicated topic -- see, for example, Vanadium's settings about "third-party cookies".

When you click from one site to another, the second site normally finds out about the first one via the Referer header.

One of the key features of incognito mode is that cookies (etc.) are not saved. Sites are allowed to set cookies, because they demand that in order to work, but once you close all of your incognito tabs all of those cookies are gone forever. The same can be done manually for non-incognito tabs, e.g., Settings, Privacy and Security, Clear browsing data, Advanced, and/or Settings, Site settings, All sites.