Move existing kSitePerProcess checks to a policy-oracle object

content/browser/child_process_security_policy_impl.cc

Index: content/browser/child_process_security_policy_impl.cc
diff --git a/content/browser/child_process_security_policy_impl.cc b/content/browser/child_process_security_policy_impl.cc
index bb4a3e217a5a38a496ba7c7d7ea9da9f2ab4284a..c1da0e9ec4737a2442e9d9789256a19740b8ab20 100644
--- a/content/browser/child_process_security_policy_impl.cc
+++ b/content/browser/child_process_security_policy_impl.cc
@@ -16,7 +16,7 @@
 #include "content/public/browser/content_browser_client.h"
 #include "content/public/browser/render_process_host.h"
 #include "content/public/common/bindings_policy.h"
-#include "content/public/common/content_switches.h"
+#include "content/public/common/site_isolation_policy.h"
 #include "content/public/common/url_constants.h"
 #include "net/base/filename_util.h"
 #include "net/url_request/url_request.h"
@@ -566,11 +566,11 @@ bool ChildProcessSecurityPolicyImpl::CanLoadPage(int child_id,
                                                  ResourceType resource_type) {
   // If --site-per-process flag is passed, we should enforce
   // stronger security restrictions on page navigation.
-  if (base::CommandLine::ForCurrentProcess()->HasSwitch(
-          switches::kSitePerProcess) &&
+  if (SiteIsolationPolicy::DoesSiteRequireDedicatedProcess(url) &&
       IsResourceTypeFrame(resource_type)) {
     // TODO(nasko): Do the proper check for site-per-process, once
     // out-of-process iframes is ready to go.
+    // TODO(nick): Can we trust |resource_type| here?

[nasko, 2015/07/08 12:52:22]

I don't think we can do that before PlzNavigate, since the bit comes from the
renderer. I don't know if somewhere in the network stack this is checked for
sanity, but I would assume no.

[ncarter (slow), 2015/07/10 23:29:18]

That's good to know. I'm leaving the TODO here because it'll be an important
thing to consider in depth when we get around to this step.

     return true;
   }
   return true;