Chrome on Android also opted not to deploy their version of full per-origin isolation for the same reason. However Chrome does create a new process for cross-origin navigation, which is sufficient to protect pages which disable iframe embedding. That's what Apple missed here.

Safari has protection against cross-site navigation enabled by default. The issue here is cross-site window open.

That is a rather odd self-socratic method of commenting.

I usually do it because I want to pose a question and then give one viewpoint of answer to that question, while leaving the floor open to other viewpoints/opinions.

If done well, it leads to a better comment-reading experience. Not sure I did it well in this example though.

It ends up looking like sockpuppetry gone wrong and I think it kind of gives you an excuse to pose the opening question in a (however inadvertent) flameframy, scarecrowy way.

I like the style, your comment created a clear train of thought and context

No. On page 9, Section 5.1 they state that by default Safari will spawn one process per tab and they provide less consolidation by default than Firefox or Chrome. It is only window.open(), which is used to create popups, that was not updated from the old design that did not use isolation to the new model that does support isolation. The "security experts" at Apple were just too incompetent to audit their code base and fix all the known security holes.

I mean, this is not exactly shocking coming from the same company with "security experts" that released a version of macOS that allowed anybody to login to root with any password [1]. Their security review process is grossly incompetent. At some point you should stop believing the "security experts" who do the security equivalent of putting antifreeze into the ice cream because they ran out of sugar and the antifreeze tastes sweet so it must work just as well.

[1] https://arstechnica.com/information-technology/2017/11/macos...