Enhance --enable-strict-site-isolation to prevent a site-isolated renderer

content/browser/child_process_security_policy.h

Index: content/browser/child_process_security_policy.h
===================================================================
--- content/browser/child_process_security_policy.h	(revision 109054)
+++ content/browser/child_process_security_policy.h	(working copy)
@@ -141,6 +141,14 @@
   // Returns true if the specified child_id has been granted ReadRawCookies.
   bool CanReadRawCookies(int child_id);
 
+  // Returns true if the process is permitted to see and use the cookies for
+  // the given origin.

[Charlie Reis, 2011/11/10 01:09:26]

Let's add a comment on these two that they're only currently used when
--enable-strict-site-isolation is specified, and possibly also that they're
experimental.  (I don't see us ever being able to turn them on by default, but
maybe they will be useful for things like isolated apps.)

+  bool CanUseCookiesForOrigin(int child_id, const GURL& gurl);
+
+  // Sets the process as only permitted to use and see the cookies for the
+  // given origin.
+  void LockToOrigin(int child_id, const GURL& gurl);
+
  private:
   friend class ChildProcessSecurityPolicyInProcessBrowserTest;
   FRIEND_TEST_ALL_PREFIXES(ChildProcessSecurityPolicyInProcessBrowserTest,