Send origin updates to frame proxies when a frame navigates to new origin.

content/common/frame_replication_state.h

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef CONTENT_COMMON_FRAME_REPLICATION_STATE_H_
 #define CONTENT_COMMON_FRAME_REPLICATION_STATE_H_
 
 #include "content/common/content_export.h"
 #include "url/origin.h"
 
@@ skipping 25 matching lines @@
 inline SandboxFlags operator&(SandboxFlags a, SandboxFlags b) {
   return static_cast<SandboxFlags>(static_cast<int>(a) & static_cast<int>(b));
 }
 
 inline SandboxFlags operator~(SandboxFlags flags) {
   return static_cast<SandboxFlags>(~static_cast<int>(flags));
 }
 
 // This structure holds information that needs to be replicated between a
 // RenderFrame and any of its associated RenderFrameProxies.
+//
+// |origin| is updated whenever a frame navigation commits.  |name| is

[Charlie Reis, 2015/04/22 23:41:25]

These look great, but maybe it would help to put them by each member instead of
here at the top.  That will make it easier to add similar comments for new
members.

[alexmos, 2015/04/23 00:07:44]

Done.

+// set when a new child frame is created, using the value of the <iframe>
+// element's "name" attribute (see RenderFrameHostImpl::OnCreateChildFrame),
+// and it is updated dynamically whenever a frame sets its window.name.
+// |sandbox_flags| are initialized for new child frames using the value of the
+// <iframe>'s "sandbox" attribute.  They are updated dynamically whenever a
+// parent frame updates an <iframe>'s sandbox attribute via JavaScript.
+//
+// When |name| is updated dynamically, updates are immediately sent to all
+// frame proxies (when in --site-per-process mode).  This is needed since other
+// frames may attempt to lookup or navigate a frame using its updated name
+// (e.g., using window.open(url, frame_name)).
+//
+// Updates to |sandbox_flags| are sent to proxies only after a subsequent
+// navigation of the (sandboxed) frame, since the flags only take effect on
+// navigation.  The proxies need updated flags so that they can be inherited
+// properly if a proxy ever becomes a parent of a local frame.
+//
+// TODO(alexmos): For now, |origin| updates are also immediately sent to all
+// proxies with --site-per-process. This isn't ideal, since Blink typically
+// needs a proxy's origin only when performing security checks on the ancestors
+// of a local frame.  So, as a future improvement, we could delay sending
+// origin updates to proxies until they have a local descendant (if ever).
+// This would reduce leaking a user's browsing history into a compromized
+// renderer.
 struct CONTENT_EXPORT FrameReplicationState {
   FrameReplicationState();
   FrameReplicationState(const std::string& name);
   ~FrameReplicationState();
 
   // Current serialized security origin of the frame. Unique origins are
   // represented as the string "null" per RFC 6454.
   url::Origin origin;
 
   // Current sandbox flags of the frame.
   SandboxFlags sandbox_flags;
 
   // The assigned name of the frame. This name can be empty, unlike the unique
   // name generated internally in the DOM tree.
   std::string name;
 
   // TODO(alexmos): Eventually, this structure can also hold other state that
   // needs to be replicated, such as frame sizing info.
 };
 
 }  // namespace content
 
 #endif  // CONTENT_COMMON_FRAME_REPLICATION_STATE_H_