A Single-Site Browser (SSB) is a highly restricted Web browser only capable of connecting to a single website. A “website” can be defined as a white-listed collection of one or more hostnames, IP addresses, ports, and protocols. For example, the SSB may only connect to Yahoo Mail “*.yahoo.com”, Facebook “https://www.facebook.com,” or Bank of America “https://www.bankofamerica.com/” and nothing else. In addition to these hostnames, an SSB would likely also need to have entries for off-domain content delivery networks and any required third-party Web widgets, but you get the idea. With a Yahoo Mail SSB you could not visit Facebook and a Facebook SSB could not visit Yahoo Mail.
Hypothetically, let’s say I’m an average online user. My “important” online accounts are Yahoo Mail (email), Facebook (social network), and Bank of America (bank). These are the online accounts I REALLY don’t want hacked. I’m disciplined to only use these services, and more importantly, log-in to them with their respective SSB. All my other promiscuous Web surfing is conducted with a general purpose Web browser like Chrome, Firefox, and Internet Explorer.
Next, let’s consider a common attack flow for XSS. Assume I’m logged-into Twitter’s website with Chrome, and I click on a link from someone I follow — you know one of those shortened link things that are impossible to know if they’re safe. That link is a disguised (reflected) XSS attack targeting Yahoo Mail, Facebook, or Bank of America, aka the accounts I care about. If the XSS vulnerability is located on an authenticated section of the website, more than likely, I’ll get redirected and asked to log-in. Obviously I’ll know not to enter my username and password because that is only for that websites SSB. So, I’m safe and not auto-hacked.
If the vulnerability does NOT require authentication, I’ll get XSS’ed. While the attacker has a control over my browser, at least temporarily, he can’t steal my authenticated session cookies because they don’t exist on this browser. Unless I break my rule of logging-in without my SSB my “important” accounts remain safe.
What about CSRF? While using a general purpose Chrome browser I click on some random link, could be on a blog post, message board, or news story. This link sends my browser to a malicious website that attempts to CSRF me on Yahoo Mail, Facebook, or Bank of America. Chrome can always be forced to send forged HTTP request to whatever target website, the nature of CSRF, but since I’m not authenticated nothing will happen that will compromise or even adversely affect my “important” accounts. The exact same is true for a Clickjacking attack. Any XSS, CSRF, or Clickjacking payload a bad guy chooses to deploy is limited to unathenticated attacks, which can still be damaging, but the accounts I care about remain safe.
When everything is considered, the only time I can get my accounts compromised by XSS, CSRF, or Clickjacking is while I’m within the SSB. This dramatically cuts down my risk profile when traversing the Web. Suddenly general purpose browsing with Chrome, Firefox, and Internet Explorer become safer because sessions are separated by desktop application boundaries.