Move existing kSitePerProcess checks to a policy-oracle object

content/public/common/site_isolation_policy.h

+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CONTENT_PUBLIC_COMMON_SITE_ISOLATION_POLICY_H_
+#define CONTENT_PUBLIC_COMMON_SITE_ISOLATION_POLICY_H_
+
+#include "base/command_line.h"
+#include "content/common/content_export.h"
+#include "url/gurl.h"
+
+namespace content {
+
+// A centralized place for making policy decisions about out-of-process iframes,
+// site isolation, --site-per-process, and related features.
+//
+// This is currently static because all these modes are controlled by command-
+// line flags.
+class CONTENT_EXPORT SiteIsolationPolicy {
+ public:
+  // Returns true if the current process model might dictate the use of cross-
+  // process iframes. This should typically used to avoid executing codepaths
+  // that only matter for cross-process iframes, to protect the default
+  // behavior.
+  //
+  // Note: Since cross process frames will soon be possible by default (e.g. for

[nasko, 2015/07/08 12:52:23]

nit: You've standardized on having cross-process hyphenated, but here it isn't.

+  // <iframe src="http://..."> in an extension process), usage should be limited
+  // to temporary stop-gaps.
+  //
+  // Instead of calling this method, prefer to examine object state to see
+  // whether a particular frame happens to have a cross-process relationship
+  // with another, or to consult DoesSiteRequireDedicatedProcess() to see if a
+  // particular site merits protection.
+  static bool AreCrossProcessFramesPossible();

[nasko, 2015/07/08 12:52:23]

nit: AreCrossProcessFramesEnabled? Possible to me implies that it is not
guaranteed to be true. While it is correct not all frames will be cross-process
and it will be dependent on policy, I think for this one we care whether we
should be doing extra work in the case there is at least one cross-process
iframe.

[ncarter (slow), 2015/07/10 23:29:18]

I prefer "possible" to "enabled", because there's not going to be a way to
enable or disable cross process iframes. Instead, there are ways to enable
various features that might create cross process iframes. I wanted a name that
was hard to confuse with "--site-per-process enabled", because I think this
function is soon going to be:

 HasSwitch(kSitePerProcess) ||
 isolate_extensions ||
 enable_new_guest_mode

To me, "Possible" communicates that uncertainty in a good way.

+
+  // Returns true if pages loaded from |site| ought to be handled only by a
+  // renderer process isolated from other sites. If --site-per-process
+  // is on the command line, this is true for all sites.
+  //
+  // Eventually, this function will be made to return true for only some schemes
+  // (e.g. extensions) or a whitelist of sites that we should protect for this
+  // user.
+  static bool DoesSiteRequireDedicatedProcess(const GURL& site);
+
+  // Returns true if navigation and history code should maintain per-frame
+  // navigation entries. This is an in-progress feature related to site
+  // isolation, so the return value is currently tied to --site-per-process.
+  // TODO(creis, avi): Make this the default, and eliminate this.
+  static bool UseSubframeNavigationEntries();
+
+  // Returns true if <webview> should be implemented in terms of cross-process
+  // iframes. This is an in-progress feature related to site isolation, so the
+  // return value is currently tied to --site-per-process.
+  // TODO(lazyboy, nick): This should probably be a command line flag separate
+  // from full site isolation (--site-per-process).
+  static bool GuestsShouldUseCrossProcessFrames();
+
+  // Appends --site-per-process to the command line, enabling tests to exercise
+  // site isolation and cross-process iframes.
+  //
+  // TODO(nick): In some places this method is called from the top of a test
+  // body. That's not strictly safe (it's setting a command line after it
+  // already may have been read). We should try make that pattern safer, as it
+  // makes browser tests easier to write.
+  static void IsolateAllSitesForTesting(base::CommandLine* command_line);
+
+  // Returns true if all sites are isolated. Typically used to bail from a test
+  // that is incompatible with --site-per-process.
+  static bool AreAllSitesIsolatedForTesting();
+
+ private:
+  SiteIsolationPolicy();  // Not instantiable.
+
+  DISALLOW_COPY_AND_ASSIGN(SiteIsolationPolicy);
+};
+
+}  // namespace content
+
+#endif  // CONTENT_PUBLIC_COMMON_SITE_ISOLATION_POLICY_H_