Skip to main content

What is browser isolation?

What is browser isolation?
Lucas Giordano's avatarBy Lucas Giordano · Co-founder, Notte
Last updated
TL;DR

Browser isolation is the technical containment around a session's browser — the OS-level boundaries that keep what happens inside one session from reaching another session, the host system, or another tenant's data. Different platforms implement it at different layers (profile, process, container, microVM) and the layer dictates what threats it actually contains.

What is browser isolation?

A browser is, by design, executing arbitrary code from arbitrary servers. That's how the web works. The same property is also the thing that makes browsers a juicy target — every page is potentially hostile, and once an attacker is executing in your browser they have a starting point for getting further. Browser isolation is the layered set of OS-level controls that decides how far that starting point can reach. The terminology overlaps heavily with browser sandboxing — both refer to the same containment property — but isolation tends to emphasize the infrastructure layer (which OS boundaries) while sandboxing emphasizes the security layer (which threats are contained).

Why isolation matters even outside security

Two reasons besides "compromised page can't escape":

  • Multi-tenant data safety. A platform running browser sessions for many customers needs strong guarantees that customer A's session can't read customer B's data. Process isolation isn't enough; container isolation isn't enough either if the kernel is shared.
  • Reproducibility. A truly isolated session starts from a known-clean state every time. Same Chromium build, same OS image, same fonts, no leftover state from a previous run. That makes automation more deterministic.

For a single-tenant developer running scripts on their laptop, isolation barely matters. For a cloud-browser platform serving thousands of customers, it's the foundational property the rest of the stack depends on.

The four isolation layers

In increasing order of strength and cost:

  1. Profile-level. One Chromium binary running multiple Chrome profiles, each with its own cookies and storage. The lightest form. Catches casual cross-profile state leakage; doesn't isolate anything else.
  2. Process-level. Each session is its own Chromium process. Different memory space, different cookie storage, different file handles. Modern Chrome already isolates tabs at this level. Stops most casual bugs but a kernel-level escape still reaches the host.
  3. Container-level. The browser runs inside a Linux container (or equivalent) with seccomp / namespaces / cgroups limits. Strong against most realistic threats — file system, networking, and process trees are scoped per session. Weak against true kernel exploits because the kernel is still shared with neighbors.
  4. MicroVM / hardware-virt-level. The browser runs in a Firecracker-style microVM with its own kernel and hardware-backed memory isolation. The strongest practical option for cloud-browser products and the right answer for multi-tenant platforms.
What it stopsWhat it misses
ProfileCasual cross-profile stateProcess-level escape, kernel exploit, host filesystem reach
ProcessCookie/storage leakage between tabsKernel exploit, host filesystem reach
ContainerFile system, network, process-tree access between sessionsKernel-level container escape
MicroVMCross-tenant memory access, kernel escapeHardware-level side channels (rare)

Choosing the right layer

The threat model dictates the answer:

  • Single-developer, friendly targets → profile or process isolation is fine. Local Chromium handles this by default.
  • Multi-tenant platform serving customers → container at minimum, microVM for any regulated workload.
  • Workloads handling PII or regulated data → microVM, with the right PII handling and zero data retention on top.
  • Threat-modeling for prompt injection → microVM. A successfully-injected agent doing the wrong thing in its own microVM is bounded; in a shared container it isn't.

A common shorthand: if you're sharing a kernel with another tenant, you don't have isolation. If you're sharing a kernel with another instance of yourself, you mostly do.

Notte's posture

Each Notte cloud-browser session runs in its own isolated instance with the kind of layered controls described above. SOC 2 Type II is in place; specific architectural detail (which layer in which regions, against which threat model) is what the Notte Trust Center is for. From the developer's side, isolation is automatic — every client.Session(...) opens a fresh, isolated browser; nothing crosses the boundary unless you explicitly persist it via a profile.

Common pitfalls

  • Confusing tab isolation with session isolation. Chrome isolates tabs at the process level; that's not the same as isolating sessions. Two tabs in one session share storage; two sessions don't.
  • Trusting Playwright "browser contexts" for multi-tenant work. They isolate cookies, not the kernel. Cross-tenant leaks under attacker pressure are documented.
  • Treating isolation as enough. Isolation contains an attacker once they're in your stack. It doesn't prevent them from getting in via prompt injection or social engineering. Pair with PII handling, ZDR, and credential vaulting.

Key takeaways

  • Browser isolation is the OS-level containment around a session's browser — the layer that decides how far compromised page content can reach.
  • Four layers, increasing strength and cost: profile, process, container, microVM. The right layer depends on threat model and tenancy.
  • For multi-tenant or regulated workloads, the only acceptable answer is microVM-class isolation per session.
  • Closely related to browser sandboxing (same idea, security framing) and PII handling (the data-flow framing on the same surface).

Build your AI agent on the open web with Notte

Cloud browsers, agent identities, and the Anything API — everything you need to ship reliable browser agents in production.

Start freeSee plans