Update process sharing rules for hosted and isolated apps.

chrome/browser/chrome_content_browser_client.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chrome_content_browser_client.h"
 
 #include <set>
 #include <vector>
 
 #include "base/bind.h"
@@ skipping 142 matching lines @@
 
   return true;
 }
 
 // Used by the GetPrivilegeRequiredByUrl() and GetProcessPrivilege() functions
 // below.  Extension, and isolated apps require different privileges to be
 // granted to their RenderProcessHosts.  This classification allows us to make
 // sure URLs are served by hosts with the right set of privileges.
 enum RenderProcessHostPrivilege {
   PRIV_NORMAL,
+  PRIV_HOSTED,
+  PRIV_ISOLATED,
   PRIV_EXTENSION,
-  PRIV_ISOLATED,
 };
 
 RenderProcessHostPrivilege GetPrivilegeRequiredByUrl(
     const GURL& url,
     ExtensionService* service) {
   // Default to a normal renderer cause it is lower privileged. This should only
   // occur if the URL on a site instance is either malformed, or uninitialized.
   // If it is malformed, then there is no need for better privileges anyways.
   // If it is uninitialized, but eventually settles on being an a scheme other
   // than normal webrenderer, the navigation logic will correct us out of band
   // anyways.
   if (!url.is_valid())
     return PRIV_NORMAL;
 
   if (url.SchemeIs(chrome::kExtensionScheme)) {
     const Extension* extension = service->GetExtensionByURL(url);
-    if (extension && extension->is_storage_isolated()) {
+    if (extension && extension->is_storage_isolated())
       return PRIV_ISOLATED;
-    }
+    if (extension && extension->is_hosted_app())
+      return PRIV_HOSTED;
 
     return PRIV_EXTENSION;
   }
 
   return PRIV_NORMAL;
 }
 
 RenderProcessHostPrivilege GetProcessPrivilege(
     content::RenderProcessHost* process_host,
     extensions::ProcessMap* process_map,
     ExtensionService* service) {
-  // TODO(aa): It seems like hosted apps should be grouped separately from
-  // extensions: crbug.com/102533.
   std::set<std::string> extension_ids =
       process_map->GetExtensionsInProcess(process_host->GetID());
   if (extension_ids.empty())
     return PRIV_NORMAL;
 
   for (std::set<std::string>::iterator iter = extension_ids.begin();
        iter != extension_ids.end(); ++iter) {
     const Extension* extension = service->GetExtensionById(*iter, false);
     if (extension && extension->is_storage_isolated())
       return PRIV_ISOLATED;
+    if (extension && extension->is_hosted_app())
+      return PRIV_HOSTED;
   }
 
   return PRIV_EXTENSION;
 }
 
+bool IsIsolatedAppInProcess(const GURL& site_url,
+                            content::RenderProcessHost* process_host,
+                            extensions::ProcessMap* process_map,
+                            ExtensionService* service) {
+  std::set<std::string> extension_ids =
+      process_map->GetExtensionsInProcess(process_host->GetID());
+  if (extension_ids.empty())
+    return false;
+
+  for (std::set<std::string>::iterator iter = extension_ids.begin();
+       iter != extension_ids.end(); ++iter) {
+    const Extension* extension = service->GetExtensionById(*iter, false);
+    if (extension &&
+        extension->is_storage_isolated() &&
+        extension->url() == site_url)
+      return true;
+  }
+
+  return false;
+}
+
 bool CertMatchesFilter(const net::X509Certificate& cert,
                        const base::DictionaryValue& filter) {
   // TODO(markusheintz): This is the minimal required filter implementation.
   // Implement a better matcher.
 
   // An empty filter matches any client certificate since no requirements are
   // specified at all.
   if (filter.empty())
     return true;
 
@@ skipping 207 matching lines @@
   // Experimental:
   // If --enable-strict-site-isolation is enabled, do not allow non-WebUI pages
   // to share a renderer process.  (We could allow pages from the same site or
   // extensions of the same type to share, if we knew what the given process
   // was dedicated to.  Allowing no sharing is simpler for now.)  This may
   // cause resource exhaustion issues if too many sites are open at once.
   const CommandLine& command_line = *CommandLine::ForCurrentProcess();
   if (command_line.HasSwitch(switches::kEnableStrictSiteIsolation))
     return false;
 
+  // An isolated app is only allowed to share with the exact same app in order
+  // to provide complete renderer process isolation.  This also works around
+  // issue http://crbug.com/85588, where different isolated apps in the same
+  // process would end up using the first app's storage contexts.
+  RenderProcessHostPrivilege privilege_required =
+      GetPrivilegeRequiredByUrl(site_url, service);
+  if (privilege_required == PRIV_ISOLATED)
+    return IsIsolatedAppInProcess(site_url, process_host, process_map, service);
+
+  // Otherwise, just make sure the process privilege matches the privilege
+  // required by the site.
   return GetProcessPrivilege(process_host, process_map, service) ==
-      GetPrivilegeRequiredByUrl(site_url, service);
+      privilege_required;
 }
 
 void ChromeContentBrowserClient::SiteInstanceGotProcess(
     SiteInstance* site_instance) {
   CHECK(site_instance->HasProcess());
 
   Profile* profile = Profile::FromBrowserContext(
       site_instance->browsing_instance()->browser_context());
   ExtensionService* service = profile->GetExtensionService();
   if (!service)
@@ skipping 726 matching lines @@
 #if defined(USE_NSS)
 crypto::CryptoModuleBlockingPasswordDelegate*
     ChromeContentBrowserClient::GetCryptoPasswordDelegate(
         const GURL& url) {
   return browser::NewCryptoModuleBlockingDialogDelegate(
       browser::kCryptoModulePasswordKeygen, url.host());
 }
 #endif
 
 }  // namespace chrome