Prevent cross-site pages when --site-per-process is passed

content/browser/child_process_security_policy_impl.cc

Index: content/browser/child_process_security_policy_impl.cc
diff --git a/content/browser/child_process_security_policy_impl.cc b/content/browser/child_process_security_policy_impl.cc
index e86ccaede0d8cf29f508d71c6a58dbe80844c1c2..adcba781cefed2d9a1c23df776678470477ba766 100644
--- a/content/browser/child_process_security_policy_impl.cc
+++ b/content/browser/child_process_security_policy_impl.cc
@@ -66,6 +66,13 @@ class ChildProcessSecurityPolicyImpl::SecurityState {
                          file_permissions_.size());
   }
 
+  bool CanLoadIframe(const GURL& gurl){
+    if (origin_lock_.is_empty())
+      return true;
+    GURL site_gurl = SiteInstanceImpl::GetSiteForURL(NULL, gurl);

[Charlie Reis, 2012/11/28 18:58:26]

Please add the same TODO as in CanAccessCookiesForOrigin, since passing NULL
here breaks hosted apps.

[irobert, 2012/11/28 22:50:41]

Done.

+    return origin_lock_ == site_gurl;
+  }
+
   // Grant permission to request URLs with the specified scheme.
   void GrantScheme(const std::string& scheme) {
     scheme_policy_[scheme] = true;
@@ -488,13 +495,31 @@ void ChildProcessSecurityPolicyImpl::RevokeReadRawCookies(int child_id) {
 }
 
 bool ChildProcessSecurityPolicyImpl::CanRequestURL(
-    int child_id, const GURL& url) {
+    int child_id, const GURL& url, ResourceType::Type resource_type) {
   if (!url.is_valid())
     return false;  // Can't request invalid URLs.
 
   if (IsDisabledScheme(url.scheme()))
     return false; // The scheme is disabled by policy.
 
+  // If --enable-strict-site-isolation flag is passed,

[Charlie Reis, 2012/11/28 18:58:26]

--site-per-process

[irobert, 2012/11/28 22:50:41]

Done.

+  // we should enforce stronger security restrictions on page navigation.
+  //
+  // TODO: This will break some WebUI page such as "chrome://extensions/"

[Charlie Reis, 2012/11/28 18:58:26]

nit: TODO(irobert):

Also, move the TODO comment inside the if, and end with a period.

[irobert, 2012/11/28 22:50:41]

Done.

+  // page (belongs to site chrome://chrome/) which loads an iframe for
+  // the page "chrome://uber-frame/" (belongs to site chrome://uber-frame/)
+  if (CommandLine::ForCurrentProcess()->HasSwitch(
+          switches::kEnableStrictSiteIsolation) &&

[Charlie Reis, 2012/11/28 18:58:26]

kSitePerProcess

[irobert, 2012/11/28 22:50:41]

Done.

+      (resource_type == ResourceType::MAIN_FRAME ||
+       resource_type == ResourceType::SUB_FRAME)) {

[Charlie Reis, 2012/11/28 18:58:26]

Looks like there's a ResourceType::IsFrame(resource_type) for doing this check. 
We should use that, since that will help if there's ever another type added to
that list.

[irobert, 2012/11/28 22:50:41]

Done.

+    base::AutoLock lock(lock_);
+    SecurityStateMap::iterator state = security_state_.find(child_id);
+    if (state == security_state_.end())
+      return false;
+    if (!state->second->CanLoadIframe(url))

[Charlie Reis, 2012/11/28 18:58:26]

CanLoadIframe isn't an accurate name, if we're also using it for MAIN_FRAME
requests.  How about CanLoadPage?

[irobert, 2012/11/28 22:50:41]

Done.

+      return false;
+  }
+
   if (IsWebSafeScheme(url.scheme()))
     return true;  // The scheme has been white-listed for every child process.
 
@@ -509,7 +534,7 @@ bool ChildProcessSecurityPolicyImpl::CanRequestURL(
           url.SchemeIs(chrome::kViewSourceScheme))
           return false;
 
-      return CanRequestURL(child_id, child_url);
+      return CanRequestURL(child_id, child_url, resource_type);
     }
 
     if (LowerCaseEqualsASCII(url.spec(), chrome::kAboutBlankURL))